Powering off the machine affects the files differently. The pagefile.sys data still remains in the file after the system is shut down. The user can change this by enabling a pagefile.sys clear upon shutdown in settings. This will delete the information in pagefile.sys every time the computer is turned off. However, even with this setting enabled, an abnormal shutdown will not clear the data, such as in the event of a crash.
For the hiberfil.sys file, the way you shutdown the system will affect what data the file has stored. In a study (https://cyberforensicator.com/wp-content/uploads/2016/12/modern-windows-hibernation.pdf) that tested different variants of shutting down the computer, it was found that using the “shutdown /h” command in Windows 7 to put it in hibernation had more information stored on the file than when it was shutdown with the GUI or with the “shutdown /s” command. Specifically, the first page of information was zeroed out in the resume process for the second method. In Windows 8, the hiberfil.sys file behaved even more differently. After starting up from the hibernation command, the group used FTK for a live analysis of the hiberfil.sys file. Here, the header signature had been changed. Also, all data after the first page was zeroed out, which made the file nearly useless for investigation purposes. Using the “shutdown /s” command after this made no changes to the nearly empty file. Windows 8 had a hybrid hibernation option as well, but the hiberfil.sys file had very little information on it for this mode, mostly relating to the kernel. In Windows 8 Operating Systems, the hiberfil.sys file is not very useful for investigators as a lot of the information is zeroed out and cannot be read.
I really recommend reading the PDF of the study if you want to understand the hiberfil.sys file more. It gives a detailed explanation of the formats depending on OS and has more details for the analysis of it.
References:
Sample Solution
