The Pagefile or Swap file is an area of the hard drive that can be used by the operating system to store data from the random access memory (RAM) that has not been used in recent activity.
What is Pagefile.sys?
The Pagefile.sys is used within Windows operating systems to store data from the RAM when it becomes full.
The Pagefile.sys is a contiguous file, so it can be read more quickly, that is located on the root of the hard drive and, normally, the more infrequently used files are stored to it.
Whilst RAM is used by the system to store active data as, due to the speed of the operation of it, the system functions more quickly than if that data were stored and read from the hard drive.
However, through normal use, RAM is filled by the system and then Windows is able to identify which data to move from it to the Pagefile.sys where it can remain until required again.
It can also be used as a backup of data in the event of a system crash.
By default, the Windows operating system configures the size of the Pagefile.sys, however, it can also be altered by the user.
Normally the Pagefile.sys can be a significant proportion of data present on the hard drive, however, removing it can greatly reduce the operating speed of the computer.
The Pagefile.sys is hidden from the normal Windows user by default as, like many other files on the hard drive, it is a system file that Windows identifies as important in the normal operation of the system.
If the file is deleted fully then the system will not function correctly and is likely to become unstable, however, the system can be configured to store the pagefile.sys onto another secondary hard drive.
Move the Pagefile.sys
Within the Control Panel, open ‘advanced system settings’ located within the System Properties menu and select the ‘settings’ option within the ‘Advanced’ ‘Performance’ tab.
Then select ‘Advanced’ within the ‘Performance Options’ tab and click ‘Change’.
Then deselect ‘Automatically manage paging file size for all drives’ which then allows the ‘No paging file’ option to be selected and then using the ‘Set’ option, a different location for the Pagefile.sys can be selected.
The Swap file in Linux
Similarly to within Windows, Linux uses swap space to store RAM when it is full or when the data is not in current use.
Within Linux however, traditionally it is a swap partition rather than a swap file and is therefore separate from the other files as it is contained on its own partition.
However, it is possible to create a swap file within Linux and to manage the size of that file if required, whereas it is not as easy and sometimes impossible to adjust the size of a swap partition.
This can be done via the command ‘sudo fallocate -l [file size] /swapfile’ once the swap file has been temporarily disabled.
Swap space Related Commands in Linux
In order to check the amount of swap space available to the system, the ‘free -h’ command can be used which will provide the breakdown of total, used and free swap space on the system.
The ‘swapon –show’ command can then be used to identify whether the swap space is a file or a partition.
If the system contains no swap space then the ‘free -h’ command would show this and the ‘swapon –show’ command would provide no output.
It is also possible to adjust how often the swap space is used within Linux, the default being 60, however it can be increased from between 0 (for servers) to 100 (for desktop) which makes the system use the swap space more frequently.
It is also possible to completely remove the swap file within Linux using the command ‘sudo rm /swapfile’, however, as with Windows, doing so is likely to have adverse effects on the operation of the system.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.