Blog
Notes on Windows pagefile.sys forensics and this tool.
- Carving registry hive fragments from pagefile.sys
5/20/2026
How to identify regf and hbin blocks in a Windows pagefile, what you can recover from them, and how to chain the output into RegRipper / hivexsh / Eric Zimmerman's Registry Explorer.
Read more → - Detecting malware command lines in pagefile.sys
5/20/2026
PowerShell encoded commands, certutil downloads, mshta payloads, rundll32 abuse, regsvr32 squiblydoo — the command-line patterns that show up in Windows pagefile.sys and how to find them.
Read more → - Encrypting pagefile.sys: the EncryptPagingFile setting and what it protects against
5/20/2026
Windows can encrypt pagefile.sys with a per-boot ephemeral key. This post explains what that protects against, what it doesn't, how it interacts with BitLocker, and what it means for forensic analysis.
Read more → - Finding credentials in pagefile.sys
5/20/2026
Why credentials leak into Windows pagefile.sys, what shapes to look for — passwords, bearer tokens, JWTs, NTLM, Kerberos, cloud CLI tokens — and how this parser surfaces them.
Read more → - How to acquire pagefile.sys
5/20/2026
Practical acquisition methods for Windows pagefile.sys — live, offline, from disk images and VM snapshots, with the pitfalls to avoid.
Read more → - Limitations of pagefile.sys analysis
5/20/2026
What you can and cannot recover from a Windows pagefile — and why Windows 10's memory compression changes the calculus.
Read more → - How pagefile.sys forensics actually works
5/20/2026
Signature carving, string extraction, and entropy analysis — the three techniques that drive every pagefile.sys analysis tool.
Read more → - pagefile.sys vs hiberfil.sys vs swapfile.sys: which Windows paging file to analyze
5/20/2026
Windows has three paging-related files at the root of the system drive — pagefile.sys, hiberfil.sys, swapfile.sys. Each contains different data and matters at different points in an investigation.
Read more → - Recovering browser history (URLs, cookies, autofill) from pagefile.sys
5/20/2026
How Chrome, Edge and Firefox leak browsing data into Windows pagefile.sys — and how to extract URLs, cookies, search queries and autofill values from a carved page.
Read more → - Should you delete or disable pagefile.sys?
5/20/2026
Disabling pagefile.sys frees disk space and can be a security hardening step — but it also reduces performance and breaks crash dumps. Here's a forensic and operational view of when (not) to do it.
Read more → - Volatility + pagefile.sys: pairing the two for full memory forensics
5/20/2026
Volatility cannot parse pagefile.sys standalone — but paired with a RAM dump, it can reconstruct the full virtual address space, including paged-out pages. Here's the workflow.
Read more → - What is pagefile.sys?
5/20/2026
A short tour of Windows' pagefile.sys — why it exists, what's inside, and why forensic analysts care.
Read more →