While I'm not exactly sure what the purpose of it is, it looks like it is used to store/cache content that's currently in use.
If you're curious to see what's inside, you can acquire locked files like swapfile.sys or pagefile.sys from a running Windows system using FGET
(Forensic Get by HBGary).
Run the the following command (as Administrator):
FGET -extract %systemdrive%\swapfile.sys OUTPUT_PATH
After which you can perform a string analysis using Strings
. Within swapfile.sys on my system, among other things I found:
my email address, several emails and email addresses, environment
variables, partial content from web pages I visited, mimetype strings, user agent strings, XML files,
URLs, IP addresses, usernames, library function names, application
preferences, path strings, etc.
I also tried carving the file to look for common image formats and found several JPEGs and PNGs comprising of application icons, webpage resources, several profile pictures, image resources from Metro apps, etc.
If
FGET
doesn't work for you, try using
ifind
and
icat
from
The Sleuth Kit.
You can find the MFT entry number for
swapfile.sys using
ifind
as follows:
ifind -n /swapfile.sys \\.\%systemdrive%
Once you have the inode number, you can retrieve the file using icat
as follows:
icat \\.\%systemdrive% INODE_NUMBER > OUTPUT_PATH
For example:
C:\>ifind -n /swapfile.sys \\.\%systemdrive%
1988
C:\>icat \\.\%systemdrive% 1988 > %systemdrive%\swapfile.dmp
NOTE: You need to run both commands from an elevated command prompt (i.e. run cmd
as Administrator)