Pagefile.sys - Revision history

Joachim Metz: /* External Links */

2012-08-16T06:29:19Z

‎External Links

Joachim Metz at 06:28, 16 August 2012

2012-08-16T06:28:56Z

Joachim Metz: /* External Links */

2012-08-16T05:55:03Z

‎External Links

Joachim Metz: /* External Links */

2012-08-16T05:54:46Z

‎External Links

Joachim Metz at 05:50, 16 August 2012

2012-08-16T05:50:51Z

.FUF at 10:19, 28 September 2008

2008-09-28T10:19:54Z

Jessek at 12:39, 21 April 2007

2007-04-21T12:39:25Z

Jessek: Fixed formatting

2007-04-08T12:09:09Z

Fixed formatting

Jessek: New page: Microsoft Windows uses a '''paging file''', called `pagefile.sys` to store frames of memory that do not current fit into physical memory. Although Windows supports up to 16 ...

2007-04-08T12:08:46Z

New page: Microsoft Windows uses a '''paging file''', called <tt>pagefile.sys</tt> to store frames of memory that do not current fit into physical memory. Although Windows supports up to 16 ...

New page

Microsoft [[Windows]] uses a '''paging file''', called <tt>pagefile.sys</tt> to store frames of memory that do not current fit into [[physical memory]]. Although Windows supports up to 16 paging files, in practice normally only one is used. This file, stored in <tt>%SystemDrive%\pagefile.sys</tt> is a hidden system file. Because the operating system keeps this file open during normal operation, it can never be read or accessed by a user. It is possible to read this file by parsing the raw file system (e.g. using [[The Sleuth Kit]]).

== Analysis Options ==

Data is stored in the paging file when Windows determines that it needs more space in physical memory. Because storage locations in the paging file are not necessarily sequential, it is unlikely to find consecutive pages there. Although it is possible to find data in chunks smaller than or equal to 4KB, its the largest an examiner can hope for.

Sadly, the most productive method to date for analyzing paging files is searching for [[strings]]. It is possible to [[Carving|carve out files]], but as noted the examiner is unlikely to find anything larger than 4KB.

== External Links ==

* [[Nicholas Maclean]] published his thesis on [[Windows Memory Analysis|Windows memory analysis]] and discussed the paging file. Unfortunately the document does not appear to be online anymore.
* ''[http://www.jessekornblum.com/research/papers/buffalo.pdf Using Every Part of the Buffalo in Windows Memory Analysis] - A paper discussing the different states of memory including where to find data in the paging file
* ''[http://www.microsoft.com/MSPress/books/6710.aspx Microsoft Windows Internals]'' - An excellent guide to the inner workings of Microsoft Windows

@@ Line 13: / Line 13: @@
 * [http://www.4tphi.net/fatkit/papers/NickMaclean2006.pdf Acquisition and Analysis of Windows Memory], by [[Nicholas Maclean]] in 2006. Thesis on [[Windows Memory Analysis|Windows memory analysis]] and discusses the paging file.
-* [http://jessekornblum.com/publications/di07.pdf Using Every Part of the Buffalo in Windows Memory Analysis], by [[Jesse Kornblum]] in 2006. A paper discussing the different states of memory including where to find data in the paging file
+* [http://jessekornblum.com/publications/di07.pdf Using Every Part of the Buffalo in Windows Memory Analysis], by [[Jesse Kornblum]] in 2006. A paper discussing the different states of memory including where to find data in the paging file.
-* [http://www.microsoft.com/MSPress/books/6710.aspx Microsoft Windows Internals] - An excellent guide to the inner workings of Microsoft Windows
+* [http://www.microsoft.com/MSPress/books/6710.aspx Microsoft Windows Internals] - An excellent guide to the inner workings of Microsoft Windows.
 [[Category:Memory Analysis]]

@@ Line 13: / Line 13: @@
 * [http://www.4tphi.net/fatkit/papers/NickMaclean2006.pdf Acquisition and Analysis of Windows Memory], by [[Nicholas Maclean]] in 2006. Thesis on [[Windows Memory Analysis|Windows memory analysis]] and discusses the paging file.
-* ''[http://www.jessekornblum.com/research/papers/buffalo.pdf Using Every Part of the Buffalo in Windows Memory Analysis]'' - A paper discussing the different states of memory including where to find data in the paging file
+* [http://jessekornblum.com/publications/di07.pdf Using Every Part of the Buffalo in Windows Memory Analysis], by [[Jesse Kornblum]] in 2006. A paper discussing the different states of memory including where to find data in the paging file
-* ''[http://www.microsoft.com/MSPress/books/6710.aspx Microsoft Windows Internals]'' - An excellent guide to the inner workings of Microsoft Windows
+* [http://www.microsoft.com/MSPress/books/6710.aspx Microsoft Windows Internals] - An excellent guide to the inner workings of Microsoft Windows
 [[Category:Memory Analysis]]

@@ Line 12: / Line 12: @@
 == External Links ==
-* [http://www.4tphi.net/fatkit/papers/NickMaclean2006.pdf Acquisition and Analysis of Windows Memory], by [[Nicholas Maclean]] in 2006. Thesis on [[Windows Memory Analysis|Windows memory analysis]] and discussed the paging file.
+* [http://www.4tphi.net/fatkit/papers/NickMaclean2006.pdf Acquisition and Analysis of Windows Memory], by [[Nicholas Maclean]] in 2006. Thesis on [[Windows Memory Analysis|Windows memory analysis]] and discusses the paging file.
 * ''[http://www.jessekornblum.com/research/papers/buffalo.pdf Using Every Part of the Buffalo in Windows Memory Analysis]'' - A paper discussing the different states of memory including where to find data in the paging file
 * ''[http://www.microsoft.com/MSPress/books/6710.aspx Microsoft Windows Internals]'' - An excellent guide to the inner workings of Microsoft Windows
 [[Category:Memory Analysis]]

@@ Line 12: / Line 12: @@
 == External Links ==
-* [[Nicholas Maclean]] published his thesis on [[Windows Memory Analysis|Windows memory analysis]] and discussed the paging file. Unfortunately the document does not appear to be online anymore.
+* [http://www.4tphi.net/fatkit/papers/NickMaclean2006.pdf Acquisition and Analysis of Windows Memory], by [[Nicholas Maclean]] in 2006. Thesis on [[Windows Memory Analysis|Windows memory analysis]] and discussed the paging file.
 * ''[http://www.jessekornblum.com/research/papers/buffalo.pdf Using Every Part of the Buffalo in Windows Memory Analysis]'' - A paper discussing the different states of memory including where to find data in the paging file
 * ''[http://www.microsoft.com/MSPress/books/6710.aspx Microsoft Windows Internals]'' - An excellent guide to the inner workings of Microsoft Windows
 [[Category:Memory Analysis]]

← Older revision		Revision as of 05:50, 16 August 2012
Line 15:		Line 15:
	* ''[http://www.jessekornblum.com/research/papers/buffalo.pdf Using Every Part of the Buffalo in Windows Memory Analysis]'' - A paper discussing the different states of memory including where to find data in the paging file		* ''[http://www.jessekornblum.com/research/papers/buffalo.pdf Using Every Part of the Buffalo in Windows Memory Analysis]'' - A paper discussing the different states of memory including where to find data in the paging file
	* ''[http://www.microsoft.com/MSPress/books/6710.aspx Microsoft Windows Internals]'' - An excellent guide to the inner workings of Microsoft Windows		* ''[http://www.microsoft.com/MSPress/books/6710.aspx Microsoft Windows Internals]'' - An excellent guide to the inner workings of Microsoft Windows
		+
		+	[[Category:Memory Analysis]]

@@ Line 1: / Line 1: @@
-Microsoft [[Windows]] uses a '''paging file''', called <tt>pagefile.sys</tt> to store frames of memory that do not current fit into [[physical memory]]. Although Windows supports up to 16 paging files, in practice normally only one is used. This file, stored in <tt>%SystemDrive%\pagefile.sys</tt> is a hidden system file. Because the operating system keeps this file open during normal operation, it can never be read or accessed by a user. It is possible to read this file by parsing the raw file system (e.g. using [[The Sleuth Kit]]).
+Microsoft [[Windows]] uses a '''paging file''', called <tt>pagefile.sys</tt>, to store frames of memory that do not current fit into [[physical memory]]. Although Windows supports up to 16 paging files, in practice normally only one is used. This file, stored in <tt>%SystemDrive%\pagefile.sys</tt> is a hidden system file. Because the operating system keeps this file open during normal operation, it can never be read or accessed by a user. It is possible to read this file by parsing the raw file system (e.g. using [[The Sleuth Kit]]).
 == Analysis Options ==
-Data is stored in the paging file when Windows determines that it needs more space in physical memory. Because storage locations in the paging file are not necessarily sequential, it is unlikely to find consecutive pages there. Although it is possible to find data in chunks smaller than or equal to 4KB, its the largest an examiner can hope for.
+Data is stored in the paging file when [[Windows]] determines that it needs more space in physical memory. Because storage locations in the paging file are not necessarily sequential, it is unlikely to find consecutive pages there. Although it is possible to find data in chunks smaller than or equal to 4KB, its the largest an examiner can hope for.
 Sadly, the most productive method to date for analyzing paging files is searching for [[strings]]. It is possible to [[Carving|carve out files]], but as noted the examiner is unlikely to find anything larger than 4KB.

← Older revision		Revision as of 12:39, 21 April 2007
Line 6:		Line 6:

	Sadly, the most productive method to date for analyzing paging files is searching for [[strings]]. It is possible to [[Carving\|carve out files]], but as noted the examiner is unlikely to find anything larger than 4KB.		Sadly, the most productive method to date for analyzing paging files is searching for [[strings]]. It is possible to [[Carving\|carve out files]], but as noted the examiner is unlikely to find anything larger than 4KB.
		+
		+	== See Also ==
		+	* [[Windows Memory Analysis]]

	== External Links ==		== External Links ==

Pagefile.sys - Revision history

Joachim Metz: /* External Links */

Joachim Metz at 06:28, 16 August 2012

Joachim Metz: /* External Links */

Joachim Metz: /* External Links */

Joachim Metz at 05:50, 16 August 2012

.FUF at 10:19, 28 September 2008

Jessek at 12:39, 21 April 2007

Jessek: Fixed formatting

Jessek: New page: Microsoft Windows uses a '''paging file''', called pagefile.sys to store frames of memory that do not current fit into physical memory. Although Windows supports up to 16 ...

Jessek: New page: Microsoft Windows uses a '''paging file''', called `pagefile.sys` to store frames of memory that do not current fit into physical memory. Although Windows supports up to 16 ...