Yeah, I have a question…

Day 5 of Windows Forensic Examinations: Pagefile, Swapfile & Hiberfil

On day 5 we dived into some more Windows’ artifacts, mainly Windows Pagefile, Swapfile, and Hibernation file.

Pagefile

The Pagefile is a physical extension of Random Access Memory (RAM). In Windows, when the RAM reached compacity the system will move idle data to pagefile.sys (located on the hard disk) to free up space. The pagefile.sys can be located at %SYSTEMDRIVE%\pagefile.sys and may contain information related to user activity.

Swapfile

The Swapfile is similar the Pagefile in that they both use space on the hard drive as temporary storage when the RAM reaches compacity. The difference is that starting in Windows 10 and later, the Swapfile works exclusively with applications that would be downloaded from the Microsoft store. Inactive applications are move to swapfile.sys, where they remain idle and persevered so the application can resume once the application is needed again. Together, the Pagefile and the Swapfile ensures that there is enough free RAM for the system to work without issue. The swapfile.sys will be located in same location as the pagefile.sys at %SYSTEMDRIVE%\swapfile.sys and may also contain information related to user activity.

Hibernation Files (Hiberfil)

When laptops are closed they enter hibernation mode. Windows memory stores it active content in a hibernation file named hiberfil.sys. When the laptop is opened again the hiberfil.sys recreates the system to it’s pervious state. The hiberfil.sys is located at T%SYSTEMDRIVE%\hiberfil.sys and contains a copy of the system memory at the time it was placed in hibernation mode along with NTFS records, recycling in artifacts and more.

By:

Jeremy McBroom

Posted in:

, ,

One response to “Day 5 of Windows Forensic Examinations: Pagefile, Swapfile & Hiberfil”

Leave a comment