Difference between revisions of "Pagefile.sys"

From ForensicsWiki
Jump to: navigation, search
m (Fixed formatting)
Line 6: Line 6:
  
 
Sadly, the most productive method to date for analyzing paging files is searching for [[strings]]. It is possible to [[Carving|carve out files]], but as noted the examiner is unlikely to find anything larger than 4KB.
 
Sadly, the most productive method to date for analyzing paging files is searching for [[strings]]. It is possible to [[Carving|carve out files]], but as noted the examiner is unlikely to find anything larger than 4KB.
 +
 +
== See Also ==
 +
* [[Windows Memory Analysis]]
  
 
== External Links ==  
 
== External Links ==  

Revision as of 08:39, 21 April 2007

Microsoft Windows uses a paging file, called pagefile.sys to store frames of memory that do not current fit into physical memory. Although Windows supports up to 16 paging files, in practice normally only one is used. This file, stored in %SystemDrive%\pagefile.sys is a hidden system file. Because the operating system keeps this file open during normal operation, it can never be read or accessed by a user. It is possible to read this file by parsing the raw file system (e.g. using The Sleuth Kit).

Analysis Options

Data is stored in the paging file when Windows determines that it needs more space in physical memory. Because storage locations in the paging file are not necessarily sequential, it is unlikely to find consecutive pages there. Although it is possible to find data in chunks smaller than or equal to 4KB, its the largest an examiner can hope for.

Sadly, the most productive method to date for analyzing paging files is searching for strings. It is possible to carve out files, but as noted the examiner is unlikely to find anything larger than 4KB.

See Also

External Links