Microsoft Windows uses page file (pagefile.sys), for storing memory blocks, which do not currently fit into physical memory.
This file, stored along the way %SystemDrive%pagefile.sys and is a hidden system file and cannot be read or accessed by the user, including Administrator in the active system.
This file can be read, having analyzed inactive file system orby checking using such tools, HowFTKImager .
Unlike hibernation files, page files cannot be processed usingVolatility: actually a page file – these are just memory holes, where blocks are stored on disk.
Because the data in the page file is not stored sequentially, then the chance of finding the whole data chain is very small.
Although it is possible to find useful data in blocks, less or equal 4 KB, this is the biggest indicator, you can count on.
Thus, The most productive method for analyzing swap files is to search for strings.
Analysis using "string".
To start analyzing the page file, you can use the command strings.
Here are some examples:
List all paths in the page file
$strings pagefile.sys | grep -i "^[a-z]:\\\\" | sort | uniq | less
Finding Environment Variables
$ strings pagefile.sys | grep -i "^[a-zA-Z09_]*=.*" | sort -u | uniq | lessHow to find a URL
$ strings pagefile.sys | egrep "^https?://" | sort | uniq | lessFinding Email Addresses
$ strings pagefile.sys | egrep '([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})'Analysis according to YARA rules
Besides, you can scan pagefile.sys, using YARA.
Using (For example) set of rules, you can scan the page file, to find some malicious artifacts, not found in volatile memory:
$ yara malware_rules.yar pagefile.sys