# Memory, Pagefile and Hibernation file

#### Memory <a href="#docs-internal-guid-8fe7afae-7fff-bfe8-648d-af5a3ec3936a" id="docs-internal-guid-8fe7afae-7fff-bfe8-648d-af5a3ec3936a"></a>

* A device used to store information for immediate use in a computer
* This is an analysis of volatile data to find data which is not easily detectable on a hard drive
* A memory dump is a snapshot or capture of computer memory from a specific instant
* Attack data can often only exist in system memory instead of file memory.

#### Pagefile

* Pagefile.sys is used within windows OS to store date from RAM when it becomes full
* Can change size or be deleted which will change the speed of the computer.
* If deleted the system will not operate properly but it can be configured to store it on a different hard drive

#### Swapfile

* Linux version of page file
* Traditionally this is a partition but can be set up as a swapfile
* Easier to change size of swapfile than partition
* Sudo fallocate -l \[filesize] /swapfile   changes size of swapfile once swapfile is temporarily disabled
* To work out how much space is available use free -h
* Swapon -show can identify is its a file or partition
* Can also adjust how frequently the swap space gets used

#### Hibernation file

* Introduced in windows 2000
* Allows OS to store current state of operation when computer is turned off
* This copies everything from memory to a file called hiberfil.sys on the disk

#### Hashing and Integrity

* Hash values are text strings
* They provide a unique identifier for a file
* In forensics, a hash will be taken before a system is copied. A hash of the copied system will then be taken. If both are the same then these are exact copies.
* Hashcat can be used to perform dictionary attacks against hashes
* This is most often used against credentials
* Hashcat -m 0 \<hashfile.txt> \<wordlist.txt>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://lswsec.gitbook.io/lswsec-blueteam/digital-forensics/memory-pagefile-and-hibernation-file.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.