What is the purpose of "C:\swapfile.sys" in Windows 8?
From a Microsoft staff member at Technet forums.
This is a special type of pagefile used internally by the system to make certain types of paging operations more efficient. It is not related to the automatic dump setting.
Suspend/resume of Metro-style apps is one scenario, there could be others in the future.
Several of the links off the posted answers end up linking to it, but http://blogs.technet.com/b/askperf/archive/2012/10/28/windows-8-windows-server-2012-the-new-swap-file.aspx
seems to be a more definitive answer:
You may ask, “Why do we need another virtual page file?” Well, with the introduction of the Modern App, we needed a way to manage their memory outside of the traditional Virtual Memory/Pagefile method. With that, the “%SystemDrive%\swapfile.sys” was born.
Windows 8 can efficiently write the whole (private) working set of a suspended Modern app to disk in order to gain additional memory when the system detects pressure. This process is analogous to hibernating a specific app, and then resuming it when the user switches back to the app. In this case, Windows 8 takes advantage of the suspend/resume mechanism of Modern apps to empty or re-populate an app’s working set.
While I'm not exactly sure what the purpose of it is, it looks like it is used to store/cache content that's currently in use.
If you're curious to see what's inside, you can acquire locked files like swapfile.sys or pagefile.sys from a running Windows system using FGET (Forensic Get by HBGary).
Run the the following command (as Administrator):
FGET -extract %systemdrive%\swapfile.sys OUTPUT_PATH
After which you can perform a string analysis using Strings. Within swapfile.sys on my system, among other things I found:
my email address, several emails and email addresses, environment variables, partial content from web pages I visited, mimetype strings, user agent strings, XML files, URLs, IP addresses, usernames, library function names, application preferences, path strings, etc.
I also tried carving the file to look for common image formats and found several JPEGs and PNGs comprising of application icons, webpage resources, several profile pictures, image resources from Metro apps, etc.
If
FGET doesn't work for you, try using ifind and icat from The Sleuth Kit.
You can find the MFT entry number for swapfile.sys using ifind as follows:
ifind -n /swapfile.sys \\.\%systemdrive%
Once you have the inode number, you can retrieve the file using icat as follows:
icat \\.\%systemdrive% INODE_NUMBER > OUTPUT_PATH
For example:
C:\>ifind -n /swapfile.sys \\.\%systemdrive% 1988 C:\>icat \\.\%systemdrive% 1988 > %systemdrive%\swapfile.dmp
NOTE: You need to run both commands from an elevated command prompt (i.e. run cmd as Administrator)