Hibernation and page file investigation
< Previous help topic Next help topic >
The product allows you to extract information from two important Windows files: hibernation file and swap (page) file. These two files is the single exception when Live memory contents may survive switching computer off. These two files may contain live memory artifacts written to a drive as a part of operation system functioning. While the hibernation file is mostly used on laptops, paging file is used on the most of computers because it represents computer's virtual memory.
To extract information from any of these, run Carve Device Wizard and on the second page choose Live RAM image file option:
Then, specify a path to hibernation or swap file of interest. After you click Finish, the specified file will be carved for Live RAM artifacts it may contain. Alike for regular Live RAM, you should not expect big amount of results because volatile memory contains only the most recent data, used by various programs and even this data may be overwritten with another data quickly. However, even a small amount of most recent data is better than nothing.
Please note, that both
files are exclusively locked by your running Windows system, so the product will
fail to analyze them at a live system. If you like to test the product, you can
either copy either file using specific tools like Hobocopy or attach a drive with
another copy of Windows. You can also
download sample hibernation
and page files from Belkasoft site.
