Windows Forensics tip of the day…

The Windows page/swap file usually contains very recent information of a user’s activity.  Data is usually overwritten fairly quickly  — depending on how “busy” the system is.  The page file can store potentially sensitive and incriminating evidence.  The legality of admitting evidence found in a page/swap file is still sketchy in the judicial system. However, it’s always a good idea to play it safe.

If you don’t mind a slightly longer shutdown / restart time you can have your system write zero’s to the page file.  This is disabled by default.

Start -> Run -> regedit

Change the following key from a 0 to 1

HKLMSYSTEMCurrentControlSetControlSession ManagerMemory ManagementClearPageFileAtShutdown

*The Microsoft KB article can be found here:

One thought on “Windows Forensics tip of the day…”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s