Since ProDiscover IR can selectively extract the hyberfile.sys live from the remote system, we can then process it using ProScript or other tools. ProDiscover already includes sample automation scripts (IRAC/IRAC2.pl) that handle this extraction. For some time I’ve wanted to write a ProScript that would parse the data into a more meaningful format. We just haven't had the time to do the R&D on the hyberfile.sys while working on the MS email formats.
The Sandman project should make it a bit easier to do for anyone willing. Take a look at http://www.darknet.org.uk/2008/05/sandman-read-the-windows-hibernation-file/ for more information.
Regards,
Christopher L. T. Brown, CISSP