- Original path:
profiles/modules/memory/hibernation.toml
# Hibernation Files Module
# Collects hibernation and sleep state files
[module]
name = "Hibernation Files"
description = "Hibernation files, swap files, and sleep state data"
category = "memory"
platform = ["windows", "linux", "macos"]
priority = "high"
# Windows Hibernation File
[[patterns]]
name = "Windows Hibernation File"
pattern = "(?:^|[/\\\\])hiberfil\\.sys$"
case-insensitive = true
type = "regex"
# Windows Page File (Virtual Memory)
[[patterns]]
name = "Windows Page File"
pattern = "(?:^|[/\\\\])pagefile\\.sys$"
case-insensitive = true
type = "regex"
# Windows Swap File
[[patterns]]
name = "Windows Swap File"
pattern = "(?:^|[/\\\\])swapfile\\.sys$"
case-insensitive = true
type = "regex"
# Linux Swap
[[patterns]]
name = "Linux Swap Partition"
pattern = "(?:^|[/])swap(?:\\.[0-9]+)?$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Linux Swap File"
pattern = "\\.swap$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Linux Swapfile"
pattern = "(?:^|[/])swapfile$"
case-insensitive = true
type = "regex"
# macOS Sleep Image
[[patterns]]
name = "macOS Sleep Image"
pattern = "sleepimage$"
case-insensitive = true
type = "regex"
# macOS Hibernate Mode
[[patterns]]
name = "macOS VM Directory"
pattern = "/private/var/vm/"
case-insensitive = false
type = "regex"
# Compressed Hibernation
[[patterns]]
name = "Compressed Hibernation"
pattern = "hiber(?:file|nation).*\\.(?:gz|xz|lz4)$"
case-insensitive = true
type = "regex"
# UEFI/EFI Variables (may contain boot state info)
[[patterns]]
name = "EFI Variables"
pattern = "/sys/firmware/efi/efivars/"
case-insensitive = false
type = "regex"