Results 1 to 2 of 2

Thread: Pagefile.sys & Hiberfil.sys skipped

  1. #1
    Join Date
    Nov 2011

    Default Pagefile.sys & Hiberfil.sys skipped

    Hi Mark

    i think we talked about this before ...
    whit the latest additions the product is becoming more and more
    usable and useful (i find myself using it more often every day) and
    when you'll introduce the support for EWF images it could be not
    rarely the only tool i need for some kind of investigations ... but ...

    i still think that skipping Pagefile.sys & Hiberfil.sys for their size is
    really a shame because these two files are very very often a
    "Treasure Chest" of informations.

    I tried to enable "custom limits" but the program says that anyway
    the maximum file size must not exceed 2gb which is often not enough
    with modern pc.
    I think you should introduce some specific module to scan these two files (possibly leaving it/them as an option that the examiner can enable/disable);
    IMHO a specific module could be a right option because of their peculiarities
    (pagefile.sys should be carved like a sort of ram image while Hiberfil.sys
    has some kind of compression applied ...).
    What do you think about this ?

    Kind regards

  2. #2
    Join Date
    Jan 2003
    Sydney Australia


    You can use the hex viewer and string extraction function to look at these files.

    It would be nice if they were optionally included as part of an index however. This was already on our to do list. But we haven't go to it as yet.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts