Hello, if the Windows session is hibernated while WC is encrypting, or as soon as the ransom message appears, would hiberfil.sys possibly contain the primes and be analyzable offline?
I'm asking because the typical approach to improve chance of recovery of deleted files is to shut down the system asap, but wanakiwi requires the machine to not have been rebooted and the keys not overwritten in memory by other processes, so a memory snapshot could be the best bet.
Hello, if the Windows session is hibernated while WC is encrypting, or as soon as the ransom message appears, would hiberfil.sys possibly contain the primes and be analyzable offline? I'm asking because the typical approach to improve chance of recovery of deleted files is to shut down the system asap, but wanakiwi requires the machine to not have been rebooted and the keys not overwritten in memory by other processes, so a memory snapshot could be the best bet.