pagefile.sys is one of the most forensically valuable files on a Windows
system — and one of the most awkward to grab. Windows keeps it open and
exclusively locked by the kernel for the entire boot, so a simple
copy C:\pagefile.sys returns "The process cannot access the file…".
There are four practical acquisition paths. Pick the one that matches the state of the machine.
1. Live system — raw NTFS read
On a running machine, the file's contents are still readable by code that goes around the file system and reads the raw NTFS volume directly. A handful of tools do this:
RawCopy.exe(jschicht/RawCopy) — small Windows utility, no install, drops a copy without disturbing the source. Run from an elevated prompt:RawCopy.exe /FileNamePath:C:\pagefile.sys /OutputPath:E:\evidence- FTK Imager Lite — Add Evidence Item → Logical Drive → C: → right-click
pagefile.sys→ Export Files. FTK uses raw I/O internally. - KAPE —
--target Pagefileplus--target Hiberfile,--target Swapfilefor a one-shot triage that hashes and copies all three. X-Ways Forensics— same idea via "Add Logical / Physical Disk".
Don't write the output to C: — pick an external drive or a network share.
The mere act of writing creates new paged-out content and can overwrite the
pagefile slots you're trying to capture.
2. Offline system — mount the disk read-only
If you can power the machine off (and your IR brief allows it), boot from a forensic Linux USB (CAINE, Tsurugi, Paladin) or take the disk into a write-blocker, then:
sudo mount -t ntfs-3g -o ro /dev/sdb2 /mnt/evidence
cp /mnt/evidence/pagefile.sys /external/evidence/
Outside Windows, there is no kernel lock — the file is just bytes.
3. From a disk image
Most engagements involve a full forensic image (E01, dd, AFF4) rather
than direct hardware. To pull pagefile.sys out of it:
- FTK Imager: Add Evidence Item → Image File → … → Export Files.
- Autopsy / The Sleuth Kit: open the image, navigate to the volume root, export.
tsk_recover,icat(Sleuth Kit CLI):fls -p -o $OFFSET image.dd | grep pagefile.sys # take the inode, then: icat -o $OFFSET image.dd $INODE > pagefile.sys
4. From a VM snapshot
VMware/Hyper-V/VirtualBox snapshots include the guest disk. Mount the
disk image (*.vmdk, *.vhdx, *.vdi) read-only on your analysis host
and copy. For Hyper-V Server snapshots, the .avhdx is a differencing
disk — merge it onto the base .vhdx first, or mount the parent + diff
chain in PowerShell:
Mount-VHD -Path .\guest.vhdx -ReadOnly
Don't forget the companions
If you've got pagefile.sys, grab the rest of the paging family while you have access:
| File | Use |
|---|---|
swapfile.sys | UWP / Modern app working sets — different content set |
hiberfil.sys | Full RAM snapshot if the machine was hibernated |
memory.dmp | Kernel crash dump if %SystemRoot%\Memory.dmp exists |
MEMORY.DMP / *.hdmp | Crash dumps, complete or kernel-only |
| RAM dump | If you can do a live capture (DumpIt, WinPMem, Magnet RAM) |
A paired RAM dump is the single biggest upgrade to pagefile analysis: it gives Volatility the page-table entries to map pagefile slots back to processes — see the limitations post for why that matters.
Verify before you walk away
After acquisition:
- Hash it:
sha256sum pagefile.sys(orGet-FileHash). Re-hash on the analysis box to confirm transfer integrity. - Sanity-check the size: a fresh Windows install with 16 GB RAM has a pagefile around 2.5 GB. Systems set to System managed can have it grow well past 16 GB. A 4 KB file means the system had pagefile disabled.
- Log the chain of custody: who pulled it, when, from what host, to what storage, with what tool.
Common pitfalls
- BitLocker: an encrypted system drive means you need the recovery key or the unlocked TPM state. Capture the system in its unlocked state whenever possible.
- Anti-virus: some EDR products quarantine RawCopy.exe / FTK on contact. Add your tool path to the allowlist before you start.
- Fast Startup / hybrid sleep: a Windows that "shut down" with Fast
Startup may actually have hibernated, in which case
hiberfil.syscontains the previous session's RAM — a much bigger prize than pagefile. - Writing to the same volume: don't. Every write is a potential pagefile slot overwrite.
Then what?
Once you have the file, drop it onto the parser on the home page — it analyses the raw bytes in your browser via WebAssembly, streams the file in 16 MB chunks, and produces a per-page classification + extracted strings + IOCs without ever uploading anything.
For background on what the analyzer actually does, see how pagefile.sys forensics actually works.