Pagefile.sys & Hiberfil.sys (Virtual Memory)

Location

Description

Pagefile.sys contains memory pages swapped to disk by the Windows memory manager. Hiberfil.sys contains a compressed copy of all physical memory written during hibernation or Fast Startup shutdown, effectively serving as a full memory snapshot.

Forensic Value

Virtual memory files contain fragments of process memory that were paged to disk, including credentials, decrypted content, command-line arguments, and malware code. Hiberfil.sys is particularly valuable as it represents a complete RAM capture at the last hibernation, recoverable even from a dead system. Strings analysis and carving can extract passwords, URLs, encryption keys, and remnants of in-memory-only malware that left no disk artifacts.

Tools Required

Collection Commands

kape.exe --tsource C: --tdest C:\output --target MemoryFiles

HibernationRecon.exe -f C:\hiberfil.sys -o C:\output\hiberfil_decompressed.bin

strings -el C:\pagefile.sys > C:\output\pagefile_strings_unicode.txt && strings C:\pagefile.sys > C:\output\pagefile_strings_ascii.txt

bulk_extractor -o C:\output\pagefile_carved C:\pagefile.sys

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.

MITRE ATT&CK Techniques

References