pagefile.sys artifa...
 
Notifications
Clear all

pagefile.sys artifact

4 Posts
4 Users
0 Likes
1,116 Views
sdokurer
(@sdokurer)
Posts: 2
New Member
Topic starter
 

After searching a file name as a keyword, I found it in the pagefile.sys. It was an internet explorer artifact and this artifact says the file was looked before installation date of the operating system. I suppose that this artifact is come from previous operating system in the partition. When existing operating system installed in the partition, the pagefile.sys file allocated some clusters in the partition without wiping them. It is mean; some data belongs to previous operating system in the partition is allocated by pagefile.sys, during the first creation.
I have tested it Windows XP and Windows 7 operating systems respectively. Each test, I have wiped a disk drive with 0xBB then install the operating system. When I look in the pagefile.sys file with hexeditor I saw;
- In Windows 7’s pagefile.sys, the first 4096 bayt(one cluster) is 0x00, other remain 0xBB.
- In Windows XP’s pagefile.sys, variable size of the first bayt (some 700 sector, some 900 sector) is filled with some data and remain 0xBB.
In the result; I suppose,
- When Windows operating system installed, the pagefile.sys allocates same clusters from file system during the first creation but it doesn’t change the data that it allocates until operating system needs to use it.
- When the operating system needs the pagefile.sys, it may stores some data and size of wiped 0xBB area diminishes.
My question is; how can I understand the windows operating system uses which range of the pagefile.sys? The important question is; every data founded in the pagefile.sys shows that it is belongs to existing operating system or previous operating system? For example; if I carve a picture from pagefile.sys, it means the picture is opened in the existing operating system or is come from previous operating system?

Thanks in advance.

Happy new year to all,

 
Posted : 31/12/2015 3:43 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Interesting experiment )
BUT this is not really-really exact

After searching a file name as a keyword, I found it in the pagefile.sys. It was an internet explorer artifact and this artifact says the file was looked before installation date of the operating system. I suppose that this artifact is come from previous operating system in the partition. When existing operating system installed in the partition, the pagefile.sys file allocated some clusters in the partition without wiping them. It is mean; some data belongs to previous operating system in the partition is allocated by pagefile.sys, during the first creation.

What you have found is in an area that currently is indexed in the filesystem as belonging to the extents of pagefile.sys.

For all you know that particular artifact may have well been residing (in the previous install) in the extents of (say) Internet Explorer Cache, which now is instead occupied by pagefile.sys.

It is a not-so slight difference, IMHO if you want to give more reliability to your analysis you need also to make sure that that particular artifact is actually created by IE only inside a pagefile.sys.

The real (additional) trouble is that there are many variables in the way an OS can be reinstalled, depending not only on the install method but also on the actual source files and device used, I doubt that the pagefille.sys is created with the same size and actual location in all cases ?, and for all you know a re-partitioning may have occurred before a "quick" format.

jaclaz

 
Posted : 31/12/2015 4:33 pm
(@athulin)
Posts: 1146
Noble Member
 

My question is; how can I understand the windows operating system uses which range of the pagefile.sys?

Begin reading about design and architectures of virtual memory in operating system. Then, read the Windows Internals volume (latest edition), on virtual memory management.

The important question is; every data founded in the pagefile.sys shows that it is belongs to existing operating system or previous operating system?

In certain circumstances, it may be, but I can think of at least two other possible sources of anything found in the page file.

You may need to consider the security implications of leaving a page file around – and what options Windows gives you for avoiding doing so.

For example; if I carve a picture from pagefile.sys, it means the picture is opened in the existing operating system or is come from previous operating system?

No. It *may* mean that, in some particular circumstance, but as your question appears to be entirely general, it doesn't apply to you.

You really have to understand what the page file is used for. That means learning about virtual memory.

And you need to know that a page file can be placed on just about any hard drive with the correct kind of file system. Needn't be a disk that ever has been touch with the present set up before.

 
Posted : 31/12/2015 6:49 pm
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

Based on your post, it really sounds as if you've created a theory from a single artifact, and that you're spending considerable effort in attempting to prove your theory.

I get that you found an apparent IE artifact in the page file, based on a text search for a file name. Have you been able to validate that this is, indeed, an IE artifact?

Does the date represent what you think it represents? I ask, as I recently saw an analyst tell a client that the "last accessed" date of an IE artifact indicated that the user had visited the site a second time…but it turned out with a little bit of reading, the date he was referring to was actually the expiry date of the page the user had visited.

What additional evidence do you have to suggest that there was a previous operating system installed? Is there a "Windows.Old" folder?

 
Posted : 03/01/2016 5:19 pm
Share:
Share to...