Posts

Showing posts from December, 2019

A short write up on windows page file forensics

Image
I am going to do a short write up on page file forensic. As I post blog by keeping newbies in mind I will try to explain some important points in layman form which is important to understand this post for newbies. What is a Page file? In Windows, NT when RAM becomes full, the operating system uses your hard drive as virtual RAM and starts placing your data in page file which is called pagefile.sys in Windows NT. Even though reading and writing data from the page file is slower than actual RAM it is still better than crashing your program. This principle works on Paging which is a memory management technique if you want to learn more on paging than you can read it here . Investigating Page file to retrieve artifacts As we know page file has data to be used by the operating system we can make a copy of it ( or there are others way to do this also) and can fetch some juicy info to retrieve any useful information which can lead an investigator to take his next deci