According to the CHFI v11 Operating System Forensics module, the Windows pagefile.sys is a critical forensic artifact because it serves as virtual memory and may contain remnants of sensitive data such as credentials, command history, decrypted content, fragments of documents, and even portions of malicious code that were previously resident in RAM. As a result, understanding where pagefile-related configuration data is stored in the Windows Registry is essential for forensic investigators.
The registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
is the correct location where Windows stores configuration values related to virtual memory management , including the PagingFiles value. This value specifies the location, size, and behavior of the pagefile.sys on the system. CHFI v11 explicitly references this registry key when discussing memory artifacts, virtual memory analysis, and Windows memory forensics .
The other options are not relevant to pagefile analysis. The CurrentVersion key stores OS version details, ControlSet001\Control\Windows contains general system control settings, and ActiveComputerName only identifies the system hostname. None of these paths contain pagefile configuration data.
Therefore, to extract and validate artifacts related to pagefile.sys , Investigator Sarah must examine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management , making Option D the correct and CHFI v11–verified answer.
