Swap File
Overview
Section titled “Overview”Evidence: Swap File
Description: Dump system swap file
Category: Memory
Platform: windows
Short Name: swp
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The swap file (swapfile.sys) was introduced in Windows 8 to support Modern/Metro apps and improve performance. It works similarly to the pagefile but is specifically optimized for Windows Store apps and suspended app state.
Like the pagefile, the swap file can contain memory remnants including sensitive data that was swapped out.
Data Collected
Section titled “Data Collected”This collector gathers structured data about swap file.
Swap File Data
Section titled “Swap File Data”| Field | Description | Example |
|---|---|---|
Type | File type | SwapFile |
Name | File name | swapfile.sys |
SourcePath | Original file path | C:\swapfile.sys |
FilePath | Relative path in evidence | Files/swapfile.sys |
FileSize | File size in bytes | 268435456 |
Collection Method
Section titled “Collection Method”This collector collects the swap file from:
C:\swapfile.sys(default location)
The file is collected using driver or NTFS raw access if locked.
Forensic Value
Section titled “Forensic Value”Swap files can contain sensitive data from Windows Store apps and suspended processes. Investigators use this data for memory forensics on Windows 8+ systems, recovering app state information, extracting credentials from Modern apps, and analyzing suspended process memory.