Windows Vista Pagef...
 
Notifications
Clear all

Windows Vista Pagefile.sys information

18 Posts
9 Users
0 Likes
3,435 Views
 ptyo
(@ptyo)
Posts: 13
Active Member
Topic starter
 

I need to know how Window Vista Home Premium's 64/bit Pagefile.sys is handled on startup and shutdown for a CP case I am working on. I would appreciate it if anyone has a good resource I can view to answer my questions so if I have to testify in court I am knowledgeable about how the Pagefile.sys is used in vista..

Thanks,

Pete

 
Posted : 01/05/2013 6:44 pm
ntexaminer
(@ntexaminer)
Posts: 49
Eminent Member
 

Is there something in particular you're interested in? This MS KB article covers clearing the page file at shutdown using the ClearPageFileAtShutdown registry value.

 
Posted : 01/05/2013 7:43 pm
 ptyo
(@ptyo)
Posts: 13
Active Member
Topic starter
 

I checked the registry value that the KB article refers and the system i'm investigating is not setup to delete the pagefile.sys on shutdown. So need to find out when the pagefile.sys is created so to speak.

Thanks,

pete

 
Posted : 01/05/2013 7:57 pm
 ptyo
(@ptyo)
Posts: 13
Active Member
Topic starter
 

Some more information. I know the Operating System was installed back in 2008. Encase is telling me the Pagefile.sys was created late 2012 Im just trying to figure out why the pagefile was destroyed then recreated in 2012 in case I'm asked in court.

 
Posted : 01/05/2013 8:01 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Have you tried creating a timeline of system activity? Timelines provide context and granularity…there may be a very good reason for what you're seeing.

Your assumptions here may be in asking how the OS "deals" with the pagefile, as well as that the pagefile was "destroyed" and then recreated at some point in 2012. This may not be the case at all. For example, the pagefile size may have been adjusted
http//wiki.pcworld.com/index.php/Increasing_Page_File_Size_-_Windows_XP_and_Windows_Vista

I'd be sure to include Windows Event Logs, etc., in timeline.

 
Posted : 01/05/2013 8:14 pm
ntexaminer
(@ntexaminer)
Posts: 49
Eminent Member
 

Some more information. I know the Operating System was installed back in 2008. Encase is telling me the Pagefile.sys was created late 2012 Im just trying to figure out why the pagefile was destroyed then recreated in 2012 in case I'm asked in court.

What are you basing the OS install date on? Could the OS have been upgraded (e.g. Home Premium to Ultimate)? This may cause the pagefile to be recreated. If that were the case, you could see if the InstallDate registry value data is around the same time as the creation date of the pagefile.

 
Posted : 01/05/2013 9:13 pm
(@twjolson)
Posts: 417
Honorable Member
 

I guess the question I have is what are you trying to prove?

I assume that you found contraband images within the pagefile, how it was created really doesn't matter in that case. I think the more important point would be how the pagefile works, as that speaks to how the data got there.

My point is this, even if you ran some tests, and found out how the pagefile is created (more exactly, how the create timestamp was updated), can you honestly say those are the only ways? Unless you did the coding, you couldn't.

My two cents.

 
Posted : 01/05/2013 9:27 pm
 ptyo
(@ptyo)
Posts: 13
Active Member
Topic starter
 

I assume that you found contraband images within the pagefile, how it was created really doesn't matter in that case. I think the more important point would be how the pagefile works, as that speaks to how the data got there.

Yes I found thousands of contraband images in the pagefile.sys. So anybody have any advice on how I can explain to the DA or a Jury in terms they would understand on how the Pagefile.sys works?

Also I'm under the impression since I don't have a live capture of the actual physicall RAM there is no way for me to back trace where a picture came from like what website etc….

Thanks,

Pete

 
Posted : 10/05/2013 8:47 pm
(@bithead)
Posts: 1206
Noble Member
 

So anybody have any advice on how I can explain to the DA or a Jury in terms they would understand on how the Pagefile.sys works?

Since Windows 95, Windows-based operating systems have used a special file that acts as a sort of "scratch pad" to store modified pages that are still in use by some process. Page file space is reserved when the pages are initially committed, however the page file locations are not chosen until the page is written to disk. So, in simplistic terms, the page file is used by Windows to hold temporary data which is swapped in and out of physical memory in order to provide a larger virtual memory set.
Technet

The page file, also known as the swap file, pagefile, or paging file, is a file on your hard drive Windows uses to store data that can’t be held by your computer’s random-access memory when it fills up.

Your computer stores files, programs, and other data you’re using in your RAM (random access memory) because it’s much faster to read from RAM than it is to read from a hard drive. For example, when you open Firefox, Firefox’s program files are read from your hard drive and placed into your RAM. The computer uses the copies in RAM rather than repeatedly reading the same files from your hard drive.

Programs store the data they’re working with here. When you view a web page, the web page is downloaded and stored in your RAM. When you watch a YouTube video, the video is held in your RAM.

When your RAM becomes full, Windows moves some of the data from your RAM back to your hard drive, placing it in the page file. This file is a form of virtual memory. While writing this data to your hard disk and reading it back later is much slower than using RAM, it’s back-up memory – rather than throwing potentially important data away or having programs crash, the data is stored on your hard drive.

Windows will try to move data you aren’t using to the page file. For example, if you’ve had a program minimized for a long time and it isn’t doing anything, its data may be moved to RAM. If you maximize the program later and notice that it takes a while to come back instead of instantly snapping to life, it’s being swapped back in from your page file. You’ll see your computer’s hard disk light blinking as this happens.
How-To-Geek

 
Posted : 11/05/2013 12:45 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

I found thousands of contraband images in the pagefile.sys. So anybody have any advice on how I can explain to the DA or a Jury in terms they would understand on how the Pagefile.sys works?

Pete, just curious was this the only evidence of contraband images? Or is it merely supporting other more conclusive evidence within the file system? The reason I ask is that, lacking date/time metadata, it might be awfully difficult to place the suspect "behind the keyboard" beyond a reasonable doubt. If you already have strong evidence for specific files, then you might downplay the Pagefile.sys evidence or omit it entirely, because it might actually create more questions than it resolves, and the jury (or Judge) may become fixated on that.

It would be awesome to get an epilog so we know how things turned out.

 
Posted : 11/05/2013 2:50 am
Page 1 / 2
Share: