±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35980
New Yesterday: 5 Visitors: 141

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows Vista Pagefile.sys information

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

ptyo
Member
 

Windows Vista Pagefile.sys information

Post Posted: May 01, 13 18:44

I need to know how Window Vista Home Premium's 64/bit Pagefile.sys is handled on startup and shutdown for a CP case I am working on. I would appreciate it if anyone has a good resource I can view to answer my questions so if I have to testify in court I am knowledgeable about how the Pagefile.sys is used in vista..

Thanks,

Pete  
 
  

ntexaminer
Senior Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 01, 13 19:43

Is there something in particular you're interested in? This MS KB article covers clearing the page file at shutdown using the ClearPageFileAtShutdown registry value.
_________________
df-stream.com | usbdetective.com 
 
  

ptyo
Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 01, 13 19:57

I checked the registry value that the KB article refers and the system i'm investigating is not setup to delete the pagefile.sys on shutdown. So need to find out when the pagefile.sys is created so to speak.

Thanks,

pete  
 
  

ptyo
Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 01, 13 20:01

Some more information. I know the Operating System was installed back in 2008. Encase is telling me the Pagefile.sys was created late 2012 Im just trying to figure out why the pagefile was destroyed then recreated in 2012 in case I'm asked in court.  
 
  

keydet89
Senior Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 01, 13 20:14

Have you tried creating a timeline of system activity? Timelines provide context and granularity...there may be a very good reason for what you're seeing.

Your assumptions here may be in asking how the OS "deals" with the pagefile, as well as that the pagefile was "destroyed" and then recreated at some point in 2012. This may not be the case at all. For example, the pagefile size may have been adjusted:
wiki.pcworld.com/index...dows_Vista

I'd be sure to include Windows Event Logs, etc., in timeline.  
 
  

ntexaminer
Senior Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 01, 13 21:13

- ptyo
Some more information. I know the Operating System was installed back in 2008. Encase is telling me the Pagefile.sys was created late 2012 Im just trying to figure out why the pagefile was destroyed then recreated in 2012 in case I'm asked in court.


What are you basing the OS install date on? Could the OS have been upgraded (e.g. Home Premium to Ultimate)? This may cause the pagefile to be recreated. If that were the case, you could see if the InstallDate registry value data is around the same time as the creation date of the pagefile.
_________________
df-stream.com | usbdetective.com 
 
  

twjolson
Senior Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 01, 13 21:27

I guess the question I have is what are you trying to prove?

I assume that you found contraband images within the pagefile, how it was created really doesn't matter in that case. I think the more important point would be how the pagefile works, as that speaks to how the data got there.

My point is this, even if you ran some tests, and found out how the pagefile is created (more exactly, how the create timestamp was updated), can you honestly say those are the only ways? Unless you did the coding, you couldn't.

My two cents.  
 

Page 1 of 3
Page 1, 2, 3  Next