±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35615
New Yesterday: 1 Visitors: 179

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Windows Vista Pagefile.sys information

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

ptyo
Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 10, 13 20:47

- twjolson

I assume that you found contraband images within the pagefile, how it was created really doesn't matter in that case. I think the more important point would be how the pagefile works, as that speaks to how the data got there.


Yes I found thousands of contraband images in the pagefile.sys. So anybody have any advice on how I can explain to the DA or a Jury in terms they would understand on how the Pagefile.sys works?

Also I'm under the impression since I don't have a live capture of the actual physicall RAM there is no way for me to back trace where a picture came from like what website etc....

Thanks,

Pete  
 
  

BitHead
Senior Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 11, 13 00:45

[quote="ptyo"]
- twjolson
So anybody have any advice on how I can explain to the DA or a Jury in terms they would understand on how the Pagefile.sys works?


Since Windows 95, Windows-based operating systems have used a special file that acts as a sort of "scratch pad" to store modified pages that are still in use by some process. Page file space is reserved when the pages are initially committed, however the page file locations are not chosen until the page is written to disk. So, in simplistic terms, the page file is used by Windows to hold temporary data which is swapped in and out of physical memory in order to provide a larger virtual memory set.
Technet




The page file, also known as the swap file, pagefile, or paging file, is a file on your hard drive Windows uses to store data that can’t be held by your computer’s random-access memory when it fills up.

Your computer stores files, programs, and other data you’re using in your RAM (random access memory) because it’s much faster to read from RAM than it is to read from a hard drive. For example, when you open Firefox, Firefox’s program files are read from your hard drive and placed into your RAM. The computer uses the copies in RAM rather than repeatedly reading the same files from your hard drive.

Programs store the data they’re working with here. When you view a web page, the web page is downloaded and stored in your RAM. When you watch a YouTube video, the video is held in your RAM.

When your RAM becomes full, Windows moves some of the data from your RAM back to your hard drive, placing it in the page file. This file is a form of virtual memory. While writing this data to your hard disk and reading it back later is much slower than using RAM, it’s back-up memory – rather than throwing potentially important data away or having programs crash, the data is stored on your hard drive.

Windows will try to move data you aren’t using to the page file. For example, if you’ve had a program minimized for a long time and it isn’t doing anything, its data may be moved to RAM. If you maximize the program later and notice that it takes a while to come back instead of instantly snapping to life, it’s being swapped back in from your page file. You’ll see your computer’s hard disk light blinking as this happens.
How-To-Geek  
 
  

TuckerHST
Senior Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 11, 13 02:50

- ptyo
I found thousands of contraband images in the pagefile.sys. So anybody have any advice on how I can explain to the DA or a Jury in terms they would understand on how the Pagefile.sys works?

Pete, just curious: was this the only evidence of contraband images? Or is it merely supporting other more conclusive evidence within the file system? The reason I ask is that, lacking date/time metadata, it might be awfully difficult to place the suspect "behind the keyboard" beyond a reasonable doubt. If you already have strong evidence for specific files, then you might downplay the Pagefile.sys evidence or omit it entirely, because it might actually create more questions than it resolves, and the jury (or Judge) may become fixated on that.

It would be awesome to get an epilog so we know how things turned out.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 
 
  

ptyo
Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 12, 13 19:53

TuckerHST no this is not the only evidence of contraband images. Let me give you a little bit of history on what I'm working on with out going into to many details. We conducted a compliance check on our sex offenders. This one was found to have what appeared to be child pornography. He was charged and arrested. I have him recorded talking to other persons admitting what he was doing and numerous times saying he was guilty of looking at these sites.

I'm new to the forensic world so to speak. Here is what I have found the only evidence I gave to the DA was the pagefile.sys carved images, since I thought it would be easier for the Jury or DA to understand that since the data was in the page file.sys someone was actively viewing Lolita type sites. The phone conversations I hope will put the suspect in front of the computer since he admitted surfing those sites.

I found images in the unallocated space as well. I am under the impression since its in the unallocated space there is no meta data that would contain the date / time viewed etc... I was able to use IEF (internet Evidence finder) and it revealed that IE private browsing was used to surf tons of pornographic websites. The only thing about this that struck me as odd is in the unallocated pictures the only ones I seen were from firefox cache not internet explorer unless I just overlooked them. IEF parsed queries shows searches for all kinds of things sexually related. It also found two .flv files of online adult camera footage not of children.

I got to say however some of the searches did give dates which still confuses me. The dates according to IEF were in 2009 and the location was the page file.sys that according to Encase was created in 2012 so im a little confused about that. Hence why i'm trying to find as much information as possible on the page file.sys. My hope is that if the person doesn't take a plea deal that if this goes to trial his multiple admissions of guilt, him already being a sex offender with child molestation charges, and the pictures from the pagefile.sys are worth a million words I think.

I will be more than happy to try and keep you all posted as this case moves forward. With that being said like most other departments due to budget constraints I can't go to any type of forensic classes so I'm learning on my own. This website has been a tremendous help to me. Well I hope that kind of sums up everything for you. If you got suggestions or advice send it my way I need all the help I can get.

Thanks,

Pete  
 
  

TuckerHST
Senior Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 13, 13 23:12

Pete, given that this is a compliance issue of a previously convicted sex offender, the phone conversations will probably be enough to get a plea deal. If it was a new case, I would be concerned that data carved from pagefile.sys might not be sufficient, lacking temporal data.

If there is evidence of software like CCleaner being installed, you might also want to assert that the computer was likely wiped (otherwise, why no deleted contraband files, or other relevant evidence in unallocated space?). Also, you might want to check this thread http://www.forensicfocus.com/Forums/viewtopic/t=10560/ which may strengthen your argument that contraband was downloaded and viewed, even though the original files are no longer available in the file system.

Actually, reviewing MRU lists and LNK files would come before the $LogFile and $UsnJrnl, but you've probably already done that.

Thanks for sharing this case with us.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 
 
  

jaclaz
Senior Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: May 14, 13 00:45

- TuckerHST

If there is evidence of software like CCleaner being installed, you might also want to assert that the computer was likely wiped (otherwise, why no deleted contraband files, or other relevant evidence in unallocated space?).

Or, more simply, correctly maintained:
www.forensicfocus.com/...ic/t=5410/

Please also remember - generally speaking - that you have to place the suspect before the keyboard and screen, see:
www.forensicfocus.com/...pic/t=9275
www.forensicfocus.com/...9/#6559899

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

ptyo
Member
 

Re: Windows Vista Pagefile.sys information

Post Posted: Sep 06, 13 19:17

Update. Trial is coming up and I'm doing more work on this case again. The individual was indicted on 20 counts of Sexual Exploitation of children. So my issue. Just went through my first actual forensics class a few weeks back. Got with the DA reprocessed to see if I could get more supporting evidence for the charges.

So what are my concerns. First, I have never actually had to testify on the stand, since most stuff is just probation violations they settle. So yes I am a little nervous I don't want to mess this up. I could use all the help I can get to prepare me for court. So here are the tools I have available to use Encase 6 and 7, FTK 4 and 5 and I also have a trial of IEF 6. IEF6 found tons of pornographic websites with titles Lolita's, Illegal Child Porn etc... I have numerous volume shadow copies with the pagefile.sys and registry keys etc.... I exported a few of the pagefile.sys and ran IEF 6 on them and low and behold porn everywhere. Yet no cookies, index.dat, .lnk files etc...

So based on the pagefile.sys can I show, "Constructive Possession?" Which in my case is defined," Constructive possession of contraband exists where a person, though not in actual possession, knowingly has both the power and the intention at a given time to exercise dominion or control over a thing." also, "Both Knowledge and possession may be proved, like any other fact, by circumstantial evidence."

The computer evidence isn't the only thing we have to prosecute on we have audio too with a wealth of information as well. As if that all isn't confusing enough I will be sitting down with the ADA in a couple weeks to prep for trial. What kind of questions should I have her ask that supports our case? I have about a week to get a supplemental report to her. Any advice suggestions would greatly be appreciated. Please bear with me I am very new to forensics and have a real generic grasp on everything. Something that may be obvious to a seasoned examiner may not be obvious to me. I did try to find information in intelliforms but once I cracked the users password in PRTK then pasted the ntuser.dat file in it said no passwords found. There is no typedurl's or search strings either.  
 

Page 2 of 3
Page Previous  1, 2, 3  Next