Why examine the swap file last?

Nov 12, 2016
3
0
#1
I am still new to this but studying hard...I read that when attempting to recover a lost file you should examine the swap file last if other attempts/methods have failed...why is that? I know that the swap file acts as a virtual memory extension of ram but just don't understand why you would check there last.
 

athulin

Member
Experienced Member
Oct 18, 2007
732
Ratings
9
18
#2
FeatherGray said:
I read that when attempting to recover a lost file you should examine the swap file last if other attempts/methods have failed...why is that? I know that the swap file acts as a virtual memory extension of ram but just don't understand why you would check there last.
It doesn't make much sense as you state it. Perhaps if you reexamine your source, you find that it is describing some particular methodology, in which examining the swap file is the least likely to succeed, and for that reason is the last step.

But as you don't state what source you're using ... I'm afraid I can only guess.
 

SgtJackie

New Member
Nov 30, 2015
58
0
#3
The swap file changes, every nanosecond, so you either have to capture it live, or do a dump of the ram. You would examine it last because it is usually a last resort!
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu