Forensic analysis of Windows 10 compressed memory using Volatility

Memory analysis on Windows 10 is pretty different from previous Windows versions: a new feature, called Memory Compression, make it necessary a forensic tool able to read compressed memory pages.

Continue reading “Forensic analysis of Windows 10 compressed memory using Volatility”

How to extract forensic artifacts from pagefile.sys?

Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory.
This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.

Continue reading “How to extract forensic artifacts from pagefile.sys?”