[Vol-users] Newbie Question: How did 512MB become 4GB? (no pagefile, no pae)

Hi all, I'm definitely still learning with memory forensics, but I can't get my head around this one. I created a Virtualbox VM of Win7SP1x86 with 512MB RAM. I disabled the pagefile - confirmed with reboot that pagefile.sys disappeared. I disabled pae - confirmed with reboot followed by: wcim os get PAEEnabled, returned FALSE. I then used: vboxmanage debugvm "Win7" dumpguestcore --filename test.elf to grab the ELF64 dump. This file is: 569.5MB I then used: python vol.py -f test.elf --profile=Win7SP1x86 imagecopy -O test.raw test.raw is: 4.0GB Given that pae is off and pagefile.sys is off, where has the extra data come from?! I get that in 32-bit, we can represent up to 0xFFFFFFFF (2^32) = 4GB, but where has the extra data come from? Is it all going to be 0-padded or have I done something wrong somewhere?! Any clues, tips, links to read, and flames welcome. Adam -- If you like, we could go PGP..?