In particular, discussing its compressed state and an EnCase EnScript for parsing it.

Anyway, I do have one question. As I already got a version of SandMan, I kinda can’t get any info about reading hiberfil files… I mean, is it possible that I got incomplete copy of SandMan? I can’t manage to run it…
One more thing… for what I need it, I got my Win7 x64 on intel i5 in hibernation 3 times (without shutting it down meanwhile), and last time it didn’t wake up, just simply warned me about resume error and all-alone went to normal startup. It’s home version, because it’s original with the laptop, but as I use enterprise (win7 x64 on i7 desktop pc), I know that in enterprise there’s a choice to delete hibernation file, where I simply press ctrl+alt+del and sometimes I actually can resume from hibernation, even though at first windows said it failed. So, as it went to normal startup, of course everything that was opened was ”lost in time”, or better said, locked in hiberfil.sys. So, at first, I got out the disk and make a backup copy of both hiberfil.sys and pagefile.sys, so I do have them.
As I was reading around, there is kinda no way to force windows to resume hibernation from other hiberfil.sys files, as they said, there appears kernel error a few seconds after resuming. But, I actually once DID success in resuming hibernation from old file in windows xp sp2… I tried here on win7, but when I change the new hiberfil.sys with the olderone, windows doesnt even mention anything at all at startup, it simply goes to ”Starting windows”… Is there anything I missed? I mean, I searched all over the internet, and, I must confess, your post is kinda interesting and you surely do know much about computers, so I hope that you know at least any little peace of information that I need.
Since the kernel stop and that Windows is from Microsoft, I’m sure everyone who has at least any knowledge about their software knows, that there is NO WAY that they’d make hibernation process as simple as writing everything in hiberfil.sys. There are definitly other informations changed, as bootmgr, where is written the state of pc (hibernation or shutdown etc…), and some system files. So I’m pretty sure that there’s a way of prevent kernel error because of different (but still pretty fresh (not even 1 day old file) and from the same system with same hardware and software, except for time and date, but it can be changed) hiberfil files, also, Microsoft definly has such option left for a security reasons, forensics or any…
Are you maybe having any idea, since I can’t manage to get reply from Microsoft?
Or at least, how to get files such as unsaved printscreens in paint and photoshop, opened tabs in any of browsers, opened notepads (MS Word saves its backups), Cubase (audio tool) recordings, and all similar non-autosaving contents in different programs? It’s not only (also I’d be glad to have it back, but I can live without my tabs and print screens lost… that’s all I had) for me, I want to do at least one step forward in getting information about all this.
The reason I haven’t save my opened contents is autohibernation on low battery state (which is afterall really good ability for such cases… I have similar setting on my desktop pc, where I made myself sort of cheap ups, which holds up to 2 minutes, and in a case of power blackout small circuit made of a few transistors and ne555 timers triggers via secondary usb ”keyboard” (modified only with keyboard circuit) a shortcut to batch file which sends a pc into hibernation to save data. So, even in case of some attacks and so, hibernations kinda good ability for me… =)
I’d be glad to get your reply… =)

Bye, Marc