Page File
Overview
Section titled “Overview”Evidence: Page File
Description: Dump system page file
Category: Memory
Platform: windows
Short Name: pgf
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The Windows page file (pagefile.sys) is used by the virtual memory manager to swap memory pages to disk when physical RAM is full. The pagefile can contain remnants of process memory including credentials, encryption keys, and other sensitive data that was paged out.
The pagefile persists across reboots (unless configured to clear) and can contain historical memory artifacts.
Data Collected
Section titled “Data Collected”This collector gathers structured data about page file.
Page File Data
Section titled “Page File Data”| Field | Description | Example |
|---|---|---|
Type | File type | PageFile |
Name | File name | pagefile.sys |
SourcePath | Original file path | C:\pagefile.sys |
FilePath | Relative path in evidence | Files/pagefile.sys |
FileSize | File size in bytes | 8589934592 |
Collection Method
Section titled “Collection Method”This collector collects the pagefile from:
C:\pagefile.sys(default location)
The file is collected using driver or NTFS raw access if the file is locked by the system.
Forensic Value
Section titled “Forensic Value”Pagefiles can contain sensitive data that was swapped out of RAM. Investigators use this data for memory forensics and credential recovery, searching for passwords and keys, extracting process memory remnants, recovering network communication data, and identifying malware memory artifacts.