Volatility + pagefile.sys: pairing the two for full memory forensics
5/20/2026 · 5 min read
Volatility (and its newer sibling MemProcFS)
are the standard tools for Windows memory forensics. Most analysts use
them against a RAM dump alone. What gets missed is that both can read
pagefile.sys if you give it to them — and doing so dramatically
expands what you can recover.
Why Volatility can't use pagefile alone
Volatility's job is to walk the kernel data structures of a captured
memory image: EPROCESS lists, page-table entries (PTEs), kernel pools,
network buffers. All of that lives in RAM — none of it is in
pagefile.
Pagefile by itself is just content: 4 KB raw memory frames with no attribution. Volatility doesn't know which slot belongs to which process, which virtual address, or even what type of memory (heap, stack, mapped file) it is.
This is why standalone tools like this parser take a carving approach — looking at content alone via magic-byte signatures. See the limitations post for the full explanation.
What changes when you have both
When you give Volatility a RAM dump and the corresponding pagefile, it can:
- Walk PTEs in RAM to figure out which process and virtual address each pagefile slot maps to.
- Read paged-out pages on demand during plugin execution — so a
process scan, a
pslist, acmdline, avadinfo, adumpfilesall get the full content even for memory regions that paged out. - Run plugins that were previously failing or partial:
pstree,cmdline,dlllist,handles,consoles,cmdscan— all become complete.
In effect, the pagefile is mounted as backing store for the memory image.
Volatility 3 syntax
# Without pagefile (paged-out content is missing)
vol -f memory.dmp windows.pslist
# With pagefile (paged-out content gets fetched)
vol -f memory.dmp \
--layer "Stacker.layer0:PageFile=pagefile.sys" \
windows.pslist
The --layer syntax lets you stack a PagefileLayer over the physical
memory layer, and Volatility's translation will fall through to it when
a PTE has the Pagefile bit set.
Note: the exact CLI for stacking pagefile layers has evolved across
Volatility 3 minor versions; check vol --help and the
-h for windows.info on your build.
Volatility 2 syntax
Legacy but still in heavy use:
vol.py -f memory.dmp --profile=Win10x64_19041 \
--pagefile pagefile.sys \
pslist
The --pagefile flag works for most Win64 / Win10 profiles. For older
profiles, the flag may not be supported.
MemProcFS syntax
MemProcFS exposes the analysis surface as a virtual filesystem you can
cd into:
MemProcFS.exe -device memory.dmp -pagefile0 pagefile.sys
The pagefile0 parameter accepts a path; pagefile1, pagefile2, …
can be used for additional pagefiles (multi-volume servers).
Once mounted, paths like:
M:\pid\1234\virt2phys.txt
M:\pid\1234\memory.vmem
M:\pid\1234\modules\…
…return contents with paged-in data filled from pagefile transparently.
When to use which tool
| Goal | Best tool |
|---|---|
| Walk processes, modules, handles, network connections | Volatility 3 (with --layer PageFile=) |
| Mount memory as filesystem; interactive triage | MemProcFS |
| Carve content from a pagefile without a RAM dump | This parser |
| Search strings + IOCs in pagefile without RAM dump | This parser |
| Decrypt LSASS secrets from RAM | pypykatz / mimikatz / Volatility plugins |
A complete IR triage usually involves all three: RAM capture for live analysis, pagefile for paged-out content, and a strings sweep for the quick IOCs.
Practical workflow
A reasonable end-to-end workflow on a Windows host:
- Acquire RAM (DumpIt, WinPMem, Magnet RAM Capture).
- Acquire pagefile.sys (see the dedicated post).
- Acquire hiberfil.sys if it exists (why) — it's a richer second memory image.
- Power down, image the disk.
- First pass: drop the pagefile into this parser for a quick IOC sweep — URLs, IPs, command lines, credentials. This is the fastest path to "is there anything obviously bad here?".
- Second pass: run MemProcFS with the RAM dump + pagefile. Walk processes, dump LSASS, check network connections, examine drivers.
- Third pass: Volatility 3 plugins for anything MemProcFS doesn't cover (custom plugins, malware-family-specific extractors).
- Cross-reference carved findings against EDR / Sysmon / EVTX logs for time anchoring.
What if you only have the pagefile?
Common in cases where the live capture wasn't possible (locked, BitLocker without recovery key, attacker had already shut down, etc.):
- Volatility / MemProcFS are largely useless without a corresponding RAM image.
- This parser is your tool. Carving + strings + artifacts will produce the strongest signal achievable from pagefile alone.
- Recovery quality is content-only, not context — see the limitations.
What if you only have the RAM dump?
Common in cloud / VM forensics where pagefile lives on the host hypervisor volume and isn't easily accessible:
- Volatility / MemProcFS work, but any paged-out address returns zero.
- Some plugins partially fail; others are unaffected (anything that only touches non-paged kernel pools).
- The pagefile is the supplement that turns a partial memory image into a complete one.
Crash dumps as a hybrid
MEMORY.DMP from a kernel crash is structurally similar to a RAM dump
and Volatility reads it natively (--profile=… plus the file). It does
not include pagefile content. Pair it with pagefile.sys the same way
you would a live capture.
Related
- How to acquire pagefile.sys — get the file in the first place.
- pagefile.sys vs hiberfil.sys vs swapfile.sys — what's in each, what to grab when.
- Limitations of pagefile.sys analysis — why standalone pagefile + Volatility-alone is each only half the picture.