Pagefile.sys questi...
 
Notifications
Clear all

Pagefile.sys question  

Page 1 / 3
  RSS
confusedyoungman
(@confusedyoungman)
New Member

Hello Folks

I'm learning more about Internet Forensics as a way to pass the time during the lovely pandemic. I'm getting the very basics together lol I know that files have to be overwritten multiple times to be truly deleted. And that the browser cache and pagefile.sys delete their files and overwrite them by themselves. However what I can't seem to find any information on is how long that tends to take. I know it varies so say on a computer that is used a couple of hours a night to browse the web would it be a few weeks or months? Or are chat logs of me trolling my friends and the pictures I looked up of Jennifer Aniston ten years ago when I was 17 still in the pagefiles.

 

I understand these may be stupid or obvious questions I am however just trying to pass the time I've been out of work since march so please forgive me lol.

Quote
Posted : 05/10/2020 10:02 pm
keydet89
(@keydet89)
Community Legend

> ...pagefile.sys delete their files and overwrite them by themselves.

Can you elaborate as to what you mean by that?  

You said, "pagefile.sys", so I'm thinking that you're referring to Windows.  What makes you think that it deletes/overwrites itself?

ReplyQuote
Posted : 06/10/2020 2:11 pm
confusedyoungman
(@confusedyoungman)
New Member

Sorry my terminology will not be correct lol. It is windows I mean yes. I meant that I think that the same files dont stay in the pagefile.sys forever, that they are removed when not needed to make way for new files and then once the file is removed it is replaced by something else. Is that not true and everything that is saved by the pagefile.sys is on the hard drive for good?

Sorry for the stupid questions I'm a law student so thought learning about computer forensics would be fun and for some reason the pagefiles hard for me to wrap my head around.

This post was modified 4 weeks ago by confusedyoungman
ReplyQuote
Posted : 06/10/2020 3:30 pm
keydet89
(@keydet89)
Community Legend

... the same files dont stay in the pagefile.sys forever, that they are removed when not needed to make way for new files ...

It seems that fundamentally, you're not understanding the nature of the pagefile.  The pagefile does not store files, it stores memory pages, or fragments of what is being used in RAM.  As a result, once the page is no longer being actively used, yes, it will be overwritten.

As such, you're not likely to find what are most often thought of as complete 'files' (i.e., images, documents, spreadsheets, etc.) in the pagefile.  You may find portions of files, as well as wide range of other contents; again, the pagefile is used for temporary storage of memory pages.

Now, if you're carving for records, rather than full files, you may find valuable data in the pagefile.  Tools you can use include page_brute, bulk_extractor, etc.

Sorry for the stupid questions

Not at all.

 

 

ReplyQuote
Posted : 07/10/2020 1:20 pm
confusedyoungman
(@confusedyoungman)
New Member

Thanks for the response. Your first paragraph makes it a lot clearer for me or at least makes it clearer what I don't know. So if a suspect has been chatting about buying drugs on a forum or a terrorist is in a chatroom and you found their computers you wouldn't be able complete 'files' in order to read what they are saying rather you would find evidence that they had been on the site?

 

I'm a law student and it is really baffling how most criminal law courses don't contain a crash course in this stuff in order to give lawyers a basic grasp. If I can get a handle on the basics I may do my dissertation on the effects of computer forensics on criminal cases.

ReplyQuote
Posted : 07/10/2020 7:02 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @confusedyoungman

I know that files have to be overwritten multiple times to be truly deleted.

No.

A file needs to be overweritten ONCE, that is enough to make it irrecoverable.

There is this ongoing myth originated by a 1995 or 1996 paper by Prof. Gutmann which was actually a little bit "vague" but that has been seriously misinterpreted by half to three-quarters of the internet and simply does not want to die, notwithstanding the Author himself precised in follow ups the exact nature and implications of the article, besides its limits. 

See this thread and links within it:

https://www.forensicfocus.com/forums/general/overwrite-demonstration/

 

jaclaz

 

 

ReplyQuote
Posted : 07/10/2020 7:12 pm
keydet89
(@keydet89)
Community Legend

@confusedyoungman

So if a suspect has been chatting about buying drugs on a forum or a terrorist is in a chatroom and you found their computers you wouldn't be able complete 'files' in order to read what they are saying rather you would find evidence that they had been on the site?

I'm not at all clear what "wouldn't be able complete files" is supposed to refer to, but to your overall question, I'm not aware of many forums or chat applications that maintain logs of what a user typed, not any more, that is.  While you might find fragments of conversations in memory or within the pagefile, I can't say with certainty that there'd be enough context to make it of value.

ReplyQuote
Posted : 07/10/2020 7:30 pm
keydet89
(@keydet89)
Community Legend

@jaclaz

...seriously misinterpreted by half to three-quarters of the internet...

A friend of mine once described this phenomenon to me...in short, when someone hears or sees/reads something that it a bit more technical than they can grasp, there is a tendency to reduce it to something understandable.  As a result, things like "magnetic resonance imaging" are essentially dropped from the understanding, leaving just, "it has to be overwritten many times, blah, blah, blah".

Sadly, this is also where we get terms like "military grade".  I served in the US military...anyone in their right mind does not want to use something that's "military grade", given that whatever it is produced by the lowest bidder.

ReplyQuote
Posted : 07/10/2020 7:35 pm
confusedyoungman
(@confusedyoungman)
New Member

'I'm not at all clear what "wouldn't be able complete files" is supposed to refer to,'

Sorry that was meant to say recover complete files (or whatever the correct terminology is)

 'While you might find fragments of conversations in memory or within the pagefile, I can't say with certainty that there'd be enough context to make it of value.'

Would it just be random words or sentences or full messages if you happened to find anything? Or would that general depend?

One last thing question https://www.forensicfocus.com/forums/general/windows-vista-pagefile-sys-information/#post-6566926 in this thread the investigator says that he found thousands of image in the pagefile and that some dated back three years (2009 from 2012) reading this is what confused me because it read like the images where saved on the hardrive. I'm probably just completely misunderstanding what is happening there.

Thanks again for taking the time to educate the ignorant haha

 

This post was modified 4 weeks ago 3 times by confusedyoungman
ReplyQuote
Posted : 07/10/2020 8:11 pm
confusedyoungman
(@confusedyoungman)
New Member

@jaclaz

Oh thanks very much I really appreciate the info I'm ever so slightly less ignorant haha

ReplyQuote
Posted : 07/10/2020 8:12 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @confusedyoungman

One last thing question https://www.forensicfocus.com/forums/general/windows-vista-pagefile-sys-information/#post-6566926 in this thread the investigator says that he found thousands of image in the pagefile and that some dated back three years (2009 from 2012) reading this is what confused me because it read like the images where saved on the hardrive. I'm probably just completely misunderstanding what is happening there. 

That is a particular case (of which BTW we have not enough details).

Let's say that the pagefile.sys does actually contain thousands of images.

How exactly they arrived there?

Now, what would prevent someone to disable the pagefile and use a file called pagefile.sys to store images? (I suspect this is what happened in that case).

A pagefile rarely contains "whole" files and, besides. recovering (in such a way that is viewable) an even slightly corrupted .jpeg file is far from trivial.

The actual info in the pagefile is not "files", see:

http://www.bluekaizen.org/virtual-memory-basics-why-look-at-pagefile-sys/

If you prefer the pagefile.sys is essentially a box of puzzle pieces (4 KB in size each) that you have in no particular order (and possibly with quite a few missing pieces) that you have to re-assemble BUT without having the actual puzzle picture as reference AND while blindfolded.

There is simply NO way on earth that you can extract thousands of images  from a "normal" page file.

jaclaz 

ReplyQuote
Posted : 08/10/2020 10:24 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @keydet89

Sadly, this is also where we get terms like "military grade".  I served in the US military...anyone in their right mind does not want to use something that's "military grade", given that whatever it is produced by the lowest bidder.

I don't know.

Lowest bidder is relative, I remember an old joke where a general of the Pentagon makes a press conference and says to the journalists something like "You guys should stop publishing all this nonsense about  eccessive expenses for army supplies. We only procure stuff through competitive bids and everything is transparent and documented."

And - while the journalists are leaving the room - "Please leave the pencils and notebooks you were given on the desk, they cost US$ 10,000 apiece".

jaclaz 

ReplyQuote
Posted : 08/10/2020 10:36 am
Bunnysniper
(@bunnysniper)
Active Member
Posted by: @confusedyoungman

I'm learning more about Internet Forensics as a way to pass the time during the lovely pandemic. I'm getting the very basics together l

Pagefile is one of the places, where you can find short living artifacts. Some evidence inside this file does not survive two reboots. There are a lot of other artifacts, where evidence is stored much longer and much easier to detect and explain.

Pagefile might contain fragements of the clipboard or some IP adresses... I am investigating pagefile.sys as one of the last artifacts. hiberfil.sys is much more interesting, but again only for short living artifacts.

 

regards,

Robin

ReplyQuote
Posted : 08/10/2020 12:17 pm
trewmte liked
confusedyoungman
(@confusedyoungman)
New Member

@bunnysniper

Thanks for the reply. Is there a general timeframe for much longer? If some artefacts are lost after two reboots would you expect to find artefacts that last longer than a month or a year or is there no timeframe at all? If pagefile.sys is the last place you look what's the first?

ReplyQuote
Posted : 09/10/2020 3:05 am
confusedyoungman
(@confusedyoungman)
New Member

@jaclaz

You are the man that made it much clearer. Would the pagefile.sys be more useful for finding evidence of something that you already suspect like the cp case above? And then the only thing I'm not 100 % clear on is the timescale you'd expect to find artefacts dating back on. Another poster says some is lost after two reboots so would any remain after 10,20,50 etc. Or is there no way to know? 

This post was modified 4 weeks ago by confusedyoungman
ReplyQuote
Posted : 09/10/2020 3:13 am
Page 1 / 3
Share: