An Intro to Pagefile Forensic

In this short write up, we will learn about pagefile and how pagefile forensic can help the investigator to get digital evidence from the operating system.

What is a Pagefile?

In Windows NT when RAM becomes full, the operating system uses your hard drive as virtual RAM and starts placing your data in a page file which is called pagefile.sys in Windows NT. Even though reading and writing data from the page file is slower than actual RAM it is still better than crashing your program. This principle works on Paging which is a memory management technique if you want to learn more about paging then you can read it here.

Investigating Pagefile to retrieve artifacts

As we know page file has data to be used by the operating system we can make a copy of it ( or there are other ways to do this also) and can fetch some juicy info to retrieve any useful information which can lead an investigator to take his next decision.

Below we can see pagefile.sys is 7.9 GB in size (depends on users specified space).

I am going to use the strings command which is built in many Linux distributions and grep with regex to fetch URLs, email directories, etc.

So first I will extract all the URLs from this pagefile by typing “strings pagefile.sys | egrep “^https ?://” | less “

And I got all the URLs from this pagefile

There are more URLs than this but I think this should be enough to give an example of how this works.


Now I will fetch directories from this page file using egrep and regex command by typing “ strings pagefile.sys | egrep -i “^[a-z]:\\\\” | less “

And below you can see file path/directories from this page file

And last we will grep all the emails from this page file for this use this command “ strings pagefile.sys | egrep ‘([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})’ “

And I got the emails

So by using this technique we can also get sensitive info for investigating the case.

You can use cyberchef for getting regex command also