How to extract forensic artifacts from pagefile.sys?

Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory. This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.

My GCFA Exam Sketchbook

Some months ago i’ve got GCFA certification. During exam preparation i’ve collected a lot of notes, and after the exam i’ve gradually organized them in a index based on topics emerged during the exam, usual using my few freetime.

RunPE: a practical example of Process Hollowing technique

About the “Process Hollowing” i have already written some posts (like this). However, i’ve never published any practical example. So, today i want to quote this interesting article where Tigzy explains the process hollowing with a brief code snippet. in wich the process hollowing is explained with a brief code snippet. A brief recap: what…