T 5.146 Loss of confidentiality due to swap files
In order for an application to be executed by the processor of an IT system, it must be partially or completely copied into memory. Modern operating systems are capable of multitasking, which means several applications can be run simultaneously. On multitasking operating systems, there is often not enough memory available, especially when running extensive applications. For this reason, many operating systems move (swap) the parts of the memory currently not in use to the hard disk.
This data is swapped to a storage area referred to as the swap file or the swap partition (or just "swap" for short), although the term "swap file" was coined primarily by Microsoft for Windows operating system (otherwise also referred to as "paging file"). The operating system manages the swap file automatically and adjusts its size according to the amount of storage space needed. If a process requires more storage space to execute, then the size of the swap file increases. As soon as less storage space is needed (for example because applications were terminated), the swap file decreases in size. Defining the size of the swap file in advance accelerates Windows so you can work faster, especially in cases where the computer does not have much main memory.
The swap files are not deleted automatically when a user logs out of the system or the system is shut down. For this reason, some of the information used by the user while working on the IT system is still located in the swap file. This information can also include sensitive data such as passwords or cryptographic keys. The protection of the data is therefore not guaranteed because it would be possible, for example, to bypass all access controls and read this information by removing the hard disk and installing it in another computer.
Example:
Some users in a company complained that it took too long to shut down their clients. For this reason, the administrator responsible set the corresponding DWORD value to 0 so that the swap files would not be deleted automatically any more when shutting down the clients.
A short time after a laptop containing important corporate data had disappeared on a business trip, internal company information was published on a non-company web site. This raises the suspicion that an unauthorised person was able to read the critical data and start the system.