Windows Forensics tip of the day…

The Windows page/swap file usually contains very recent information of a user’s activity.  Data is usually overwritten fairly quickly  — depending on how “busy” the system is.  The page file can store potentially sensitive and incriminating evidence.  The legality of admitting evidence found in a page/swap file is still sketchy in the judicial system. However, it’s always a good idea to play it safe.

If you don’t mind a slightly longer shutdown / restart time you can have your system write zero’s to the page file.  This is disabled by default.

Start -> Run -> regedit

Change the following key from a 0 to 1

HKLMSYSTEMCurrentControlSetControlSession ManagerMemory ManagementClearPageFileAtShutdown

*The Microsoft KB article can be found here: http://support.microsoft.com/kb/314834

One thought on “Windows Forensics tip of the day…”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s