Notifications
Clear all

pagefile.sys

9 Posts
7 Users
0 Likes
3,426 Views
(@forenz)
Posts: 47
Eminent Member
Topic starter
 

How would one examine the contents of the pagefile? Are FTK/EnCase all that is required to extract any data that could be of evidentiary value?
I'm just curious as to whether there are any neat little programs or scripts out there that can help get some extra info.

 
Posted : 01/10/2007 3:39 pm
(@tgoldsmith)
Posts: 35
Eminent Member
 

If you have a copy of the physical memory from the host before it was imaged, you can locate the page table entries and merge the data from page file with the memory image to build up a more complete "image" of the host's memory. I don't think any of the publically released tools do this (unless someone can correct me), although I've done it so I know it works nicely.

Other than that, without putting extra thought into it there isn't really too much you could do to grab interesting stuff from it. Signature maching/"strings" might give you some scraps of detail, but the chances of finding most of an application in there that you can reassemble (especially as you don't have the page tables) is pretty much zero.

Um.. I'll have a think about some other things you could do. It's Monday after all -)

 
Posted : 01/10/2007 5:31 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

How would one examine the contents of the pagefile? Are FTK/EnCase all that is required to extract any data that could be of evidentiary value?
I'm just curious as to whether there are any neat little programs or scripts out there that can help get some extra info.

Consider what the pagefile consists of…it's memory pages (4k) that get swapped out of main memory when they are no longer in use and additional room is required in main memory. It's not as if one might expect to find contiguous files in sequential 4k memory pages, although there are a number of objects (Event Log records, Registry keys, etc) that are less than 4k.

Tools I would recommend trying include scalpel and Jesse Kornblum's foremost. Right now, I am not aware of any tools that are available that parse Registry keys and event records out of memory or the pagefile, but it is something I've been working in during my copious spare time.

Another method for analyzing the pagefile requires the use of the contents of physical memory. In Jesse Kornblum's "Buffalo" paper, he talks about parsing the PTE/PDE in RAM to see what pages have been swapped out to the pagefile…using that, you can then pull those pages from the pagefile and use them to reconstruct the objects available in main memory.

Hope that helps,

H

 
Posted : 02/10/2007 4:15 pm
(@mistermister)
Posts: 18
Active Member
 

If there is a list of file names in the pagefiles.sys, what is the relevance of this?

 
Posted : 17/10/2007 4:31 pm
 ddow
(@ddow)
Posts: 278
Reputable Member
 

If there is a list of file names in the pagefiles.sys, what is the relevance of this?

Depends on the context, nature of the case, and what else the names are associated with. It could be a Christmas card list or a list of co-conspirators.

 
Posted : 17/10/2007 5:04 pm
(@mbrown)
Posts: 27
Eminent Member
 

Sorry to revive an old thread. But does anyone know if you can acquire pagefile.sys using FTK Imager and then analyze it using something like Volatility? Thanks.

 
Posted : 31/12/2008 1:58 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

You can acquire the pagefile using F-Response and FTK Imager from a live system (from a hard drive on a write-blocker, it's a no brainer).

As to your question about Volatility, what have you read about it at the web site?

 
Posted : 31/12/2008 5:18 pm
(@fuzen)
Posts: 5
Active Member
 

Memoryze can make use of the paging file(s) if you run it on a live system.

Jesse's "Using Every Part of the Buffalo in Windows Memory Analysis" paper is a great place to start as well.

Memoryze http//www.mandiant.com/software/memoryze.htm
Audit Viewer http//blog.mandiant.com/archives/50
Jesse's paper http//jessekornblum.com/research/papers/buffalo.pdf

Memoryze does not currently support acquiring the paging file(s) to be used with a memory snapshot because of synchronization issues.

Jamie

 
Posted : 31/12/2008 10:54 pm
(@mbrown)
Posts: 27
Eminent Member
 

Thanks guys.

 
Posted : 01/01/2009 5:04 pm
Share: