Recovery of video f...
 
Notifications
Clear all

Recovery of video from volatile memory

2 Posts
2 Users
0 Likes
274 Views
(@chloe)
Posts: 1
New Member
Topic starter
 

Hi,

I have been researching how the swap file works and it seems to be quite complex. Some say swap is only used if memory becomes in demand, yet I have seen that less intense memory functions, such as viewing image files, can cause images to be stored and they can be easily carved from swap and that other low memory files doc, txt etc etc can also be readily recovered. So it seems swap is constantly used even if RAM is not in use. The degree of which almost seems random and any file or part of a file can end up in swap, although it tends to be the less accessed files on occasions.

Which leads me to my question, if a case involves only video and they have been overwritten (including slack) what are the chances video files (or frames) could be successfully recovered from the swap file? I understand that they would likely be extremely fragmented, and for video files (which are highly compressed) the break in information can render any video recovered unwatchable.

Has anyone had any experience of this? OR is it simply not worth the time? Especially considering that there will be no temporal data associated with any extracted file / partial file.

Thanks for any opinions on this !

 
Posted : 07/09/2018 3:36 pm
(@athulin)
Posts: 1156
Noble Member
 

I have been researching how the swap file works and it seems to be quite complex.

In most modern operating system it is closely connected with virtual memory management, which can be complex. However, without knowing exactly what swap file you're referring to, or even if you're referring to a swap file at all …

Some say swap is only used if memory becomes in demand,

If you're researching Windows virtual memory management, you go to the Windows Internals books. For other operating systems, go the corresponding documentation Os X has at least one book on internal OS operation. I'm less well read on Linux memory management.

Basically, current but 'idle' memory pages are transferred to secondary storage to allow for non-idle programs/process to expand their working set (the number of active pages in primary memory). More complex scenarios try to fill memory with pages that are likely to be used in the near future. To know exactly what happens, you need either OS memory management soruce code, or a detailed description such as those found in books like Windows Internals. And you need to know how things like Prefetch/Superfetch work.

Depending on operating system, a page file may only contain non-static pages, i.e. pages that the process has modifed. Constant data (such as code and read-protected files) do not need to be paged out – they can be retrieved from their original files. But this varies, so it's important to know what the operating system you are interested in does in these cases.

So it seems swap is constantly used even if RAM is not in use.

It may seem so to you. But how sure are you that that is a true statement, and not just a statement that may be true in a particular situation and for a limited period of time? And can you decide if that situation/period of time was at hand?

Hint Many operating systems come with tools for profilig and tuning. They may provide information about number of page faults (when missing memory pages are fetched from a page file), or when 'dirty' pages (which have been modified) are written to a page file, etc. Such tools may help you examine what is going on. I should warn you that you do need to have at least a nodding acquaintance with virtual memory management and the terminology used to discuss this subject.

Which leads me to my question, if a case involves only video and they have been overwritten (including slack) what are the chances video files (or frames) could be successfully recovered from the swap file?

Your question is impossible to answer as it stands. You need to specify operating system, physical memory size, video application for it to come closer to being possible to answer. Do you know any systems level programming? If you do, it would be easier to point to system calls, but if programming is a closed book to you …

If you are referring to a real swap file, it usually contains full process images. Does a process image contain a full video? It may, if the program mmap's the video file into process memory. If it doesn't, but just reads the file cluster by cluster, you're only likely to find the latest cluster read or written.

If you are referring to a page file (which sometimes also are called swap files), it contains indvidual memory pages (often 4Kbyte chunks), not necessarily in any particular order, and memory pages from one process can be mingled with pages from another process. Recovery could be very similar to recovering a video fro, a highly fragmented hard disk. To know if it does, you need to get an idea of how 'busy' memory management was.

And then, of course, it may be totally impossible. page and swap files are used when the system is active. On some systems, page file data may be erased to prevent sensitive information to leak when the system is shut down. If yours is one of those operating system, your questions may depend on if such erasing is enabled or not.

It might be easier if you start from the other end what forensic question are you trying to answer by looking inside the page file/swap file?

For example, if you're trying to determine if video X has been viewed or edited on this system, you may approach it by hashing video X sectors/clusters, and then look for hash matches all over the disk. If you find N hash matches … you may possible have found something interesting. But you need to lay a proper foundation for a conclusion, of course …

 
Posted : 07/09/2018 8:06 pm
Share: