Pagefile Question

The contents that once existed in memory have the potential to be stored in the pagefile. Therefore, the contents of the pagefile are diverse, including images accessed from websites, input content for editing documents, and so on.

Forensic tools can extract relevant evidence from the pagefile. However, for further investigation, searching for specific types of files such as images or videos within the pagefile can be achieved by carving based on file signatures.

Posted by: @crazycat692

↑

I have a general grasp of its function, but what I don’t understand is what kind of data/files are actually found in pagefile?

Depends on the operating system. See a text book on virtual memory design (esp. paged virtual memory) for a full answer. In principle:

It is a kind of semi-permanent page cache for the memory manager. 

It contains non-static data that was removed from primary mempry because some other process needed more memory space.  (Static data does not need to be saved, as it never changes: it can be read back from executable files.)

Complete files might perhaps be found there if the software opened the file for editing, read the full file into its process memory, and it was paged out in full at some time. That *might* happen if the relevant software waited on user input, and some other code needed more memory badly. If the file was opened in read-only mode, it would not need to be paged out, as it could be paged in from the original file instead. (Software can usually flag data space as non-pageable to prevent it from ever being paged out, but that is typically only used for very sensitive data).

You might find a sector/cluster of a file. In general, you can't rely on finding anything in particular.  Some operating systems clear the page files when they shut down. If you ever search the page file, you're more or less at your wit's end, as you typically can't attribute the data to a particular process.