Data in Pagefile.sy...
 
Notifications
Clear all

Data in Pagefile.sys

2 Posts
2 Users
0 Likes
339 Views
(@subujoseph)
Posts: 51
Trusted Member
Topic starter
 

Hello fellow examiners…

A quick question regarding Pagefile.sys.

What will be the contents of the Pagefile when it is first created? Will it all be zeros or will it contain data from unallocated space?

This is assuming that windows is reinstalled on a used formatted hard disk (not new or forensically wiped) and Pagefile is created for the first time.

Any help would be appreciated.

Thanks.

 
Posted : 14/03/2016 4:03 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hello fellow examiners…

A quick question regarding Pagefile.sys.

What will be the contents of the Pagefile when it is first created? Will it all be zeros or will it contain data from unallocated space?

This is assuming that windows is reinstalled on a used formatted hard disk (not new or forensically wiped) and Pagefile is created for the first time.

Any help would be appreciated.

Thanks.

It would seem to me an easy enough experiment to carry on.

BUT think about it a little.

How BIG in size is a pagefile.sys?

Let's say it is automagically set at 2x available RAM, say 4 Gb for a 2 Gb RAM system.
How long does it take to create the pagefile.sys (like milliseconds, seconds or minutes)?
How long does it take on the same system to format (with wiping, i.e. without the /q switch on recent windows) a similarly sized volume in a file residing on the same Mass Storage device, let's say a .vhd 4 Gb in size?(again milliseconds, seconds or minutes)?

The time that it takes to create the file may give you a hint about whether the contents would be the *whatever* is already in the area indexed by the newly created file or if a huge number of 00's are created on disk.

jaclaz

 
Posted : 14/03/2016 5:10 pm
Share: