How does evidence come to exist within the Windows page file

How does evidence come to exist within the Windows page file
mc87Asked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
In short, pagefile (in Windows it is "pagefile.sys") store frame of memory extract (or latent evidence extract) that does not fit into the RAM. It will be swapped between the physical memory (RAM) and the file - in all, they form the virtual memory spaces. Also do note that in Windows supports up to 16 paging files, in practice normally only one is used.

Although pagefile may not be capturing the full copy of RAM due to frequent swapping and also dependent of pagefile size allocated (some typically have it in another volume instead of the "C:" to let it grow), it can be dynamic but still has traces (depending on user activities, do not mistaken it as file repository). Note that even 32 bits and 64bits affect the size as well hence the traces too.

@ How to determine the appropriate page file size for 64-bit versions of Windows
http://support.microsoft.com/kb/889654

In all, I see pagefile as part of memory forensic as iIf you have a copy of the physical memory from the host before it was imaged, you can locate the page table entries and merge the data from page file with the memory image to build up a more complete "image" of the host's memory.

@ The Jesse's paper is a good read on the memory forensic esp on Section Section 4.1 that give a bit more info on pagefile and Section 6.1 on the recovery of traces from pagefile that would be of interest.
http://jessekornblum.com/publications/di07.pdf

Jesse Kornblum recommended tools that may be of interest to you. One method for analyzing the pagefile requires the use of the contents of physical memory. He talks about parsing the PTE/PDE in RAM to see what pages have been swapped out to the pagefile, those pages can be pulled from the pagefile and use them to reconstruct the objects available in main memory.

You can acquire the pagefile using F-Response and FTK Imager from a live system. Below are other useful analysis tools:
a) Memoryze: http://www.mandiant.com/products/free_software/memoryze/
b) Audit Viewer: http://blog.mandiant.com/archives/50
c) The Sleuth Kit can help to look into the pagefile - in specific matching any signature of known program: http://www.forensicswiki.org/wiki/The_Sleuth_Kit

There are other areas to sieve out evidences like the restore points, temp folder and etc. They are typical forensic area baseline to uncover more evidence traces.
0
 
giltjrCommented:
Well, do you know what the Windows page file is?

It is a copy of pages (typically 4 KB) in RAM.  So if it existed in memory, it could exist in the page file.

0
 
LMiller7Commented:
If you are inquiring from a security standpoint, as suggested by the zone, you will have to elaborate before a meaningful answer can be provided.

In general the OS will copy older data to the pagefile as an ongoing process. Applications have no access to the pagefile while the system is running.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
John_CFEConnect With a Mentor Commented:
The Windows page file (also known as the swap file) is a storage file that Windows uses to temporarily move the contents of parts of the RAM into when the demands on the RAM exceed its capacity. The page file can be pretty large on some systems, often hundreds of MB or a few GB's so it can store a lot of information.

For example, if an application is trying to load a significant amount of data into RAM due to a system request or user request then Windows will have to move what is currently into RAM into a temporary store to accommodate the new request. In order to do that it uses the page file to store the RAM data temporarily. This means that the page file can contain any data that is stored in RAM which could include user data such as documents, pictures or web pages or could just be binary data from an application that is running at the time.

Typically the page file contains a mixture of the two and doe not follow any human understandable structure. Having said that, it is a fairly trivial task to retrieve some kinds of data (pictures, documents and plain text) from the page file if you know what you are looking for.
0
 
pma111Commented:
virtual memory / additional memory, by evidence do you mean computer forensics evidence? I reviewed a pagefile once and managed to get a path for a document opened in microsoft word. Its very messy unstructured data so good luck with that.
0
 
giltjrConnect With a Mentor Commented:
Scanning a page file is very messy as pma111 has stated.

First, the map for the page file is kept in RAM by the OS.  Well, once you shut the computer down, this map is gone, so all you have is a but of 4 KB chunks of "stuff", you don't know what program owned what.

When the OS copies a pages of RAM to the page file, the pages do not necessary need to be written to contiguous sectors in the page file.  They can be randomly written wherever there is room in the page file.   So you may have a program that had say 10 MB of RAM copied to the page file, which would be 2,560 pages worth of memory.  Say your sector size is 16 KB, so you now have 640 sectors worth of RAM that is copied to the page file.  These could be 640 contiguous sectors or 640 sectors spread over the whole page file, which can be GB's in size.

It is a pain staking process, but there are things in their that can be valuable.
0
 
pma111Commented:
What is it your trying to acheive mc87, is there some specific data you are after, i.e. webmail, messenger chat sessions/logs etc, I know on forensic focus (forum) many claim to been able to get back some messneger chat data from pagefiles for harassement cases, albeit have never attempted to recover such yourself. Do you have an investigation on?
0
 
giltjrCommented:
I would say based on mc87's list of recent questions that he is taking classes and these are questions targeted towards what they are being taught.

mc87, if these questions are based on a classes, please let us know.  That way we can help guide you.
0
 
mc87Author Commented:
These question are  to help me with my revision.

Thank You
0
 
giltjrCommented:
-->These question are  to help me with my revision.

Not sure what you mean by "revision."
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.