I am wondering if parts of a page file from a Windows XP installation can persist across installations…i.e., if you reinstall XP overtop an existing installation, can data in pagefile.sys from the previous installation still exist? I'm thinking it could just be that the pagefile sucked up some unallocated space that happened to contain data from the previous installation.
I have a disk that looks like it was reinstalled recently, but I can find evidence of a different profile and timestamps from before that date in pagefile.sys.
I entertained the possibility that my installation date is incorrect (I'm just going on the dates of system files; the reg key HKLM\Software\Microsoft\WindowsNT\Current Version\Install Date is wrong. It converts to Saturday, September 04, 2049), and it was just a profile that was deleted. But there is no trace whatsoever of that profile (or some installed programs) on the drive that I've found, other than in pagefile.sys.
Another strange thing about the drive is that there are C, D, E, and F drives showing in Encase, and D, E, and F have an empty Windows root structure (i.e., D\WINDOWS with all its subfolders, but all the folders are empty). The folders on these partitions are much older. How can I tell which partitions were actually visible to the user?
I appreciate any insight you might have…I am rather puzzled at this point, and unsure of the best way to proceed. I'd like to try to carve some files out of pagefile.sys, but I want to be able to figure out the profiles first.
Re the pagefile issue
I had a case recently where artefacts within a pagefile.sys on an XP system almost certainly came from the pagefile.sys of a previous incarnation of the same operating system.
I haven't done any testing to see how this has come about but I can confirm I have seen the same behaviour.
Paul