Swap File

Overview

Evidence: Swap File Description: Dump System Swap File Category: Memory Platform: Windows Short Name: swp Is Parsed: No - Raw swap file Sent to Investigation Hub: Yes Collect File(s): No

Background

The swap file (swapfile.sys) was introduced in Windows 8 to support Modern/Metro apps and improve performance. It works similarly to the pagefile but is specifically optimized for Windows Store apps and suspended app state.

Like the pagefile, the swap file can contain memory remnants including sensitive data that was swapped out.

Data Collected

Field

Description

Example

Type

File type

SwapFile

Name

File name

swapfile.sys

SourcePath

Original file path

C:\swapfile.sys

FilePath

Relative path in evidence

Files/swapfile.sys

FileSize

File size in bytes

268435456

Collection Method

This collector collects the swap file from:

C:\swapfile.sys (default location)

The file is collected using driver or NTFS raw access if locked.

Usage

Swap files can contain sensitive data from Windows Store apps and suspended processes. Investigators use this data for memory forensics on Windows 8+ systems, recovering app state information, extracting credentials from Modern apps, and analyzing suspended process memory.

Known Limitations

Only present on Windows 8 and later
Typically smaller than pagefile
May not exist if disabled
Requires memory forensics tools to analyze

Notes

The swap file is generally smaller than the pagefile but can still contain valuable forensic artifacts, especially related to Windows Store apps and UWP applications.

PreviousSuperfetch NextSystem Restore Points Information

Last updated 47 minutes ago

Was this helpful?