Windows Swap/Page File Defined

Microsoft Windows-based computer operating systems utilize a special file as a "scratch pad" to write data when additional random access memory is needed. In Windows, Windows 95 and Windows 98, these are called Windows swap files. In Windows NT and Windows 2000 and Windows XP they are called Windows page files but they have essentially the same characteristics as Windows swap files. Windows swap/page files are huge and most computer users are unaware of their existence. The size of these files can range from 100 million bytes over a gigabyte and the potential exists for these huge files to contain remnants of word processing, E-Mail messages, Internet browsing activity, database entries and almost any other work that may have occurred during past Windows work sessions. This situation creates a significant security problem because the potential exists for data to be transparently stored within the Windows swap file without the knowledge of the computer user. This can occur even if the work product was stored on a computer network server. The result is a significant computer security weakness that can be of benefit to the computer forensics specialist. Windows swap files can actually provide the computer forensics specialist with investigative leads that might not otherwise be discovered.

Windows swap files are relied upon by Windows, Windows 95, and Windows 98 to create "virtual memory"; i.e., using a portion of the hard disk drive for memory operations. The storage area is important to the computer forensics specialist for the same reason that file slack and unallocated space are important, i.e., large volumes of data exist for which the computer user likely has no knowledge. Windows swap files can be temporary or permanent, depending on the version of Windows involved and settings selected by the computer user. Permanent swap files are of more interest to a computer forensics specialist because they normally store larger amounts of information for much longer periods of time.

Large permanent swap files can hold vast quantities of data and they should be targeted early in the examination by the computer forensics specialist to identify leads relative to past uses of the subject computer. NTI's NTA Stealth program was originally designed to assist in the identification of E-Commerce related leads in Windows swap files. Since then NTI's NTA Stealth program has been upgraded to identify all Internet-related URLs and E-mail addresses on and entire computer system. NTI's various computer forensic filters, e.g., NTA Stealth, Filter_I, Filter_N, Filter_G, Fnames, GetHTML and GExtract were designed to automatically identify computer investigation leads stored in Windows swap/page files. The identified leads can be used to craft lists of key words and strings of text for use with a computer forensics search tool, e.g., TextSearch Plus and TextSearch NT. Intelligent filtering can identify relevant data types which include, credit card numbers, bank account numbers, domestic and international phone numbers, passwords, English language communications, E-Mail addresses, Internet web addresses, graphics files and file fragments, HTML documents dates. NTI developed this method of identifying leads to help enhance the accuracy of computer forensic text searches in investigations and in computer security risk assessments. The methodology is not limited to Windows swap and Windows page files. It can also be used very effectively with any ambient data sources.

The permanent swap file in Windows 3.1 and some later versions is called 386SPART.PAR and it typically has a system attribute which makes it invisible to standard DOS or Windows programs. The file usually can be found in the root directory of the drive designated in the Virtual Memory dialog box. Another place to look is in the Windows subdirectory or the Windows\System subdirectory.

The permanent swap file in Windows 95 and Windows 98 is called WIN386.SWP. It is also usually located in the root directory of the drive designated in the Virtual Memory dialog box. A permanent swap file will not be found on most computers running Windows 95 or Windows 98. In Windows 95 and Windows 98, the default is usually set for the swap file to be dynamic and it shrinks and expands as necessary. When a dynamic swap file is involved, its file size is reduced to zero and the file's content is released to unallocated storage space. Thus, the contents of the dynamic swap file must be analyzed along with the other data stored in this space. This requires the use of specialized computer forensics software tools like NTI's GetFree software to capture the data stored in unallocated storage space which is normally associated with previously 'deleted' files. As with a static or permanent swap file, the output file created by NTI's GetFree software can be analyzed for leads using intelligent filters, as described above.

In Windows NT/2000/XP, the Windows page file is named PAGEFILE.SYS and such files are treated as permanent (static) swap files. Permanent swap files can be viewed like any other file with software utilities like Norton Commander and/or Norton DiskEdit. The problem is that swap/page files can be very large - 100 million bytes to over 1 billion bytes - and they contain mostly binary information which is not readable. Looking for leads in the swap file by viewing it with normal utilities can be tedious and most likely unfruitful because of the massive volume of data involved. Therefore, it is more productive when specialized tools intelligent tools are used depending upon the nature of the case involved. These techniques and concepts are covered in detail in NTI's popular 5 Day Computer Forensics Course.