Page File

Overview

Evidence: Page File Description: Dump system page file Category: Memory Platform: windows Short Name: pgf Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The Windows page file (pagefile.sys) is used by the virtual memory manager to swap memory pages to disk when physical RAM is full. The pagefile can contain remnants of process memory including credentials, encryption keys, and other sensitive data that was paged out.

The pagefile persists across reboots (unless configured to clear) and can contain historical memory artifacts.

Data Collected

This collector gathers structured data about page file.

Page File Data

Field

Description

Example

Type

File type

PageFile

Name

File name

pagefile.sys

SourcePath

Original file path

C:\pagefile.sys

FilePath

Relative path in evidence

Files/pagefile.sys

FileSize

File size in bytes

8589934592

Collection Method

This collector collects the pagefile from:

C:\pagefile.sys (default location)

The file is collected using driver or NTFS raw access if the file is locked by the system.

Forensic Value

Pagefiles can contain sensitive data that was swapped out of RAM. Investigators use this data for memory forensics and credential recovery, searching for passwords and keys, extracting process memory remnants, recovering network communication data, and identifying malware memory artifacts.

PreviousOpera Web Storage NextPalo Alto Logs

Last updated 3 days ago

Was this helpful?