±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36087
New Yesterday: 2 Visitors: 169

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Text found in pagefile.sys

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

busby
Newbie
 

Text found in pagefile.sys

Post Posted: May 21, 08 17:38

Here's the scenario:
Suspect's machine running XP Pro and using Outlook Express with preview pane option on.

FTK has pulled out some significant text from pagefile.sys. Suspect says he has never seen it, but it may have been contained in an email attachment which he received but has never opened/viewed.

Does the presence of that text in the pagefile prove that the text has been viewed, or the attachment opened, or could it have resulted from the attachment having been loaded into the ..\Local Settings\Temp directory of the active user account as he scrolled through his emails?

Any suggestions gratefully received!  
 
  

Jonathan
Senior Member
 

Re: Text found in pagefile.sys

Post Posted: May 21, 08 20:38

In general, it's difficult to say authoritatively that anything has been viewed on a computer. You can show that a file has been accessed by a user or by the default behaviour of a process or application, but not that it was actually viewed/seen by someone. Furthermore, if you, for example, received an email with a 10 page Word attachment – it could be shown that this Word document had been saved at a certain location by a particualr user but it couldn't be shown that he'd scrolled down and seen page 8 of the document, which may contain a diagram or whatever which is crucial to the case.

I think in your situation, if there are no other pointers near your artefact in the pagefile or even elsewhere on the system then all you can credibly say about it is that, at some time, it was present on your suspect's hard drive.
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 
  

keydet89
Senior Member
 

Re: Text found in pagefile.sys

Post Posted: May 21, 08 21:52

- busby

Does the presence of that text in the pagefile prove that the text has been viewed, or the attachment opened, or could it have resulted from the attachment having been loaded into the ..\Local Settings\Temp directory of the active user account as he scrolled through his emails?


No. But Registry analysis might. I've used Registry analysis several times to locate indications of user's actually viewing documents.  
 
  

Jonathan
Senior Member
 

Re: Text found in pagefile.sys

Post Posted: May 21, 08 22:46

- keydet89
- busby

Does the presence of that text in the pagefile prove that the text has been viewed, or the attachment opened, or could it have resulted from the attachment having been loaded into the ..\Local Settings\Temp directory of the active user account as he scrolled through his emails?


No. But Registry analysis might. I've used Registry analysis several times to locate indications of user's actually viewing documents.


How can the registry show that a user actually viewed something as opposed to just opening it? In the OP's scenario he mentions finding a fragment of text in the pagefile and no associated meta-data...how would registry analysis help here to show that a user had seen the fragment of text in question? I'd be interested in finding out.
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 
  

keydet89
Senior Member
 

Re: Text found in pagefile.sys

Post Posted: May 22, 08 00:30

- Jonathan

How can the registry show that a user actually viewed something as opposed to just opening it? In the OP's scenario he mentions finding a fragment of text in the pagefile and no associated meta-data...how would registry analysis help here to show that a user had seen the fragment of text in question? I'd be interested in finding out.


Take the sample text from the pagefile and do a search of the hard drive. If the sample appears in a document on the hard drive, use a tool like RegRipper to determine if the document was viewed by a particular user. If the text appears in a cached web page...well...

HTH  
 
  

Jonathan
Senior Member
 

Re: Text found in pagefile.sys

Post Posted: May 22, 08 01:22

[quote="keydet89"]
- Jonathan


Take the sample text from the pagefile and do a search of the hard drive. If the sample appears in a document on the hard drive, use a tool like RegRipper to determine if the document was viewed by a particular user. If the text appears in a cached web page...well...

HTH


Sure, but I presume that the OP found it in pagefile only via the FTK text search function and they found it only there otherwise they would have mentioned it? Perhaps they can provide more details.

By the way, you don't seem to differentiate between 'viewing' something and 'opening' or accessing it. Any reason for that? I think the terminology used to describe a user's actions is pretty important.
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 
  

chrisvaughanuk
Member
 

Re: Text found in pagefile.sys

Post Posted: May 22, 08 02:18

Agreed. The registry artefacts that were mentioned must surely only show access rather than viewing. It's pedantic but you have to be in this game!  
 

Page 1 of 3
Page 1, 2, 3  Next