Page File

Overview

Evidence: Page File Description: Dump System Page File Category: Memory Platform: Windows Short Name: pgf Is Parsed: No - Raw pagefile Sent to Investigation Hub: Yes Collect File(s): No

Background

The Windows page file (pagefile.sys) is used by the virtual memory manager to swap memory pages to disk when physical RAM is full. The pagefile can contain remnants of process memory including credentials, encryption keys, and other sensitive data that was paged out.

The pagefile persists across reboots (unless configured to clear) and can contain historical memory artifacts.

Data Collected

Field

Description

Example

Type

File type

PageFile

Name

File name

pagefile.sys

SourcePath

Original file path

C:\pagefile.sys

FilePath

Relative path in evidence

Files/pagefile.sys

FileSize

File size in bytes

8589934592

Collection Method

This collector collects the pagefile from:

C:\pagefile.sys (default location)

The file is collected using driver or NTFS raw access if the file is locked by the system.

Usage

Pagefiles can contain sensitive data that was swapped out of RAM. Investigators use this data for memory forensics and credential recovery, searching for passwords and keys, extracting process memory remnants, recovering network communication data, and identifying malware memory artifacts.

Known Limitations

Can be very large (often several GB)
Collection time depends on file size
Requires significant storage space
May require specialized memory forensics tools to analyze
Can be configured to clear on shutdown

Notes

Analyze pagefile.sys with memory forensics tools or bulk data analysis tools (grep, bulk_extractor). The pagefile can contain plaintext passwords, encryption keys, and other sensitive data.

PreviousPDB Information NextPowerShell Logs

Last updated 47 minutes ago

Was this helpful?