Pagefile.sys questi...
 
Notifications
Clear all

Pagefile.sys question

46 Posts
5 Users
1 Likes
7,530 Views
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 

Hello Folks

I'm learning more about Internet Forensics as a way to pass the time during the lovely pandemic. I'm getting the very basics together lol I know that files have to be overwritten multiple times to be truly deleted. And that the browser cache and pagefile.sys delete their files and overwrite them by themselves. However what I can't seem to find any information on is how long that tends to take. I know it varies so say on a computer that is used a couple of hours a night to browse the web would it be a few weeks or months? Or are chat logs of me trolling my friends and the pictures I looked up of Jennifer Aniston ten years ago when I was 17 still in the pagefiles.

 

I understand these may be stupid or obvious questions I am however just trying to pass the time I've been out of work since march so please forgive me lol.

 
Posted : 05/10/2020 9:02 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

> ...pagefile.sys delete their files and overwrite them by themselves.

Can you elaborate as to what you mean by that?  

You said, "pagefile.sys", so I'm thinking that you're referring to Windows.  What makes you think that it deletes/overwrites itself?

 
Posted : 06/10/2020 1:11 pm
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 

Sorry my terminology will not be correct lol. It is windows I mean yes. I meant that I think that the same files dont stay in the pagefile.sys forever, that they are removed when not needed to make way for new files and then once the file is removed it is replaced by something else. Is that not true and everything that is saved by the pagefile.sys is on the hard drive for good?

Sorry for the stupid questions I'm a law student so thought learning about computer forensics would be fun and for some reason the pagefiles hard for me to wrap my head around.

This post was modified 3 years ago by confusedyoungman
 
Posted : 06/10/2020 2:30 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

... the same files dont stay in the pagefile.sys forever, that they are removed when not needed to make way for new files ...

It seems that fundamentally, you're not understanding the nature of the pagefile.  The pagefile does not store files, it stores memory pages, or fragments of what is being used in RAM.  As a result, once the page is no longer being actively used, yes, it will be overwritten.

As such, you're not likely to find what are most often thought of as complete 'files' (i.e., images, documents, spreadsheets, etc.) in the pagefile.  You may find portions of files, as well as wide range of other contents; again, the pagefile is used for temporary storage of memory pages.

Now, if you're carving for records, rather than full files, you may find valuable data in the pagefile.  Tools you can use include page_brute, bulk_extractor, etc.

Sorry for the stupid questions

Not at all.

 

 

 
Posted : 07/10/2020 12:20 pm
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 

Thanks for the response. Your first paragraph makes it a lot clearer for me or at least makes it clearer what I don't know. So if a suspect has been chatting about buying drugs on a forum or a terrorist is in a chatroom and you found their computers you wouldn't be able complete 'files' in order to read what they are saying rather you would find evidence that they had been on the site?

 

I'm a law student and it is really baffling how most criminal law courses don't contain a crash course in this stuff in order to give lawyers a basic grasp. If I can get a handle on the basics I may do my dissertation on the effects of computer forensics on criminal cases.

 
Posted : 07/10/2020 6:02 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @confusedyoungman

I know that files have to be overwritten multiple times to be truly deleted.

No.

A file needs to be overweritten ONCE, that is enough to make it irrecoverable.

There is this ongoing myth originated by a 1995 or 1996 paper by Prof. Gutmann which was actually a little bit "vague" but that has been seriously misinterpreted by half to three-quarters of the internet and simply does not want to die, notwithstanding the Author himself precised in follow ups the exact nature and implications of the article, besides its limits. 

See this thread and links within it:

https://www.forensicfocus.com/forums/general/overwrite-demonstration/

 

jaclaz

 

 

 
Posted : 07/10/2020 6:12 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

@confusedyoungman

So if a suspect has been chatting about buying drugs on a forum or a terrorist is in a chatroom and you found their computers you wouldn't be able complete 'files' in order to read what they are saying rather you would find evidence that they had been on the site?

I'm not at all clear what "wouldn't be able complete files" is supposed to refer to, but to your overall question, I'm not aware of many forums or chat applications that maintain logs of what a user typed, not any more, that is.  While you might find fragments of conversations in memory or within the pagefile, I can't say with certainty that there'd be enough context to make it of value.

 
Posted : 07/10/2020 6:30 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

@jaclaz

...seriously misinterpreted by half to three-quarters of the internet...

A friend of mine once described this phenomenon to me...in short, when someone hears or sees/reads something that it a bit more technical than they can grasp, there is a tendency to reduce it to something understandable.  As a result, things like "magnetic resonance imaging" are essentially dropped from the understanding, leaving just, "it has to be overwritten many times, blah, blah, blah".

Sadly, this is also where we get terms like "military grade".  I served in the US military...anyone in their right mind does not want to use something that's "military grade", given that whatever it is produced by the lowest bidder.

 
Posted : 07/10/2020 6:35 pm
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 

'I'm not at all clear what "wouldn't be able complete files" is supposed to refer to,'

Sorry that was meant to say recover complete files (or whatever the correct terminology is)

 'While you might find fragments of conversations in memory or within the pagefile, I can't say with certainty that there'd be enough context to make it of value.'

Would it just be random words or sentences or full messages if you happened to find anything? Or would that general depend?

One last thing question https://www.forensicfocus.com/forums/general/windows-vista-pagefile-sys-information/#post-6566926 in this thread the investigator says that he found thousands of image in the pagefile and that some dated back three years (2009 from 2012) reading this is what confused me because it read like the images where saved on the hardrive. I'm probably just completely misunderstanding what is happening there.

Thanks again for taking the time to educate the ignorant haha

 

This post was modified 3 years ago 3 times by confusedyoungman
 
Posted : 07/10/2020 7:11 pm
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 

@jaclaz

Oh thanks very much I really appreciate the info I'm ever so slightly less ignorant haha

 
Posted : 07/10/2020 7:12 pm
Page 1 / 5
Share: