swsusp2bin: Utility to decompress Linux swsusp hibernation file

Comaeio Technologies has created a new tool to help with Linux forensics:

swsusp (Software Suspend) is a kernel feature/program which is part of power management framework in the Linux kernel. It’s the default suspend framework as of kernel 3.8. To hibernate the system, type the following at a shell prompt as root: “systemctl hibernate”. This command saves the system state on the hard disk drive and powers off the machine. When you turn the machine back on, the system then restores its state from the saved data without having to boot again. Because the system state is saved on the hard disk and not in RAM, the machine does not have to maintain electrical power to the RAM module, but as a consequence, restoring the system from hibernation is significantly slower than restoring it from suspend mode.[…]



