I know that Thumbs.db stores mini thumbnails but are there any other files of intrest to an investigation that have a similar database structure? I was curious about examining pst files however i hear they are a nightmare to deconstruct.
I also was looking at the page file, But if in use I cannot copy it.Are there any methods availible to gain access to the page file on a live system to copy it? It keeps erroring when I try it?
Thanks in advance
Ryan
There's the thumbcache.db files in Vista. There's a few other applications that cache graphics also, but not sure if they have the same structure.
As for the pagefile, you could use something like WinHex to copy it out…
Right click on pagefile.sys and select 'Recover/Copy'. Should be possible in similar applications too.
Kind Regards,
Minesh
Dear Ryan,
You can't copy pagefile.sys because it is in use by the system, but you can use forensic tools like Encase to copy any of the files. Similarly you can copy other files like for hiberfil.sys (hibernation file), SAM, system file etc using forensic tools.
Kush Wadhwa
You can also use a free tool called FTK Imager to do this operation. (download from accessdata web page).
Good luck
You can't copy pagefile.sys because it is in use by the system
Specifically, the system has an exclusive file handle open to that file. The way to copy it (and the way tools like FTK Imager do) is to parse the MFT manually and copy out the appropriate data runs using raw disk reads, thus avoiding the file access issues.