Pagefile.sys questi...
 
Notifications
Clear all

Pagefile.sys question

46 Posts
5 Users
1 Likes
7,525 Views
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @confusedyoungman

One last thing question https://www.forensicfocus.com/forums/general/windows-vista-pagefile-sys-information/#post-6566926 in this thread the investigator says that he found thousands of image in the pagefile and that some dated back three years (2009 from 2012) reading this is what confused me because it read like the images where saved on the hardrive. I'm probably just completely misunderstanding what is happening there. 

That is a particular case (of which BTW we have not enough details).

Let's say that the pagefile.sys does actually contain thousands of images.

How exactly they arrived there?

Now, what would prevent someone to disable the pagefile and use a file called pagefile.sys to store images? (I suspect this is what happened in that case).

A pagefile rarely contains "whole" files and, besides. recovering (in such a way that is viewable) an even slightly corrupted .jpeg file is far from trivial.

The actual info in the pagefile is not "files", see:

http://www.bluekaizen.org/virtual-memory-basics-why-look-at-pagefile-sys/

If you prefer the pagefile.sys is essentially a box of puzzle pieces (4 KB in size each) that you have in no particular order (and possibly with quite a few missing pieces) that you have to re-assemble BUT without having the actual puzzle picture as reference AND while blindfolded.

There is simply NO way on earth that you can extract thousands of images  from a "normal" page file.

jaclaz 

 
Posted : 08/10/2020 9:24 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @keydet89

Sadly, this is also where we get terms like "military grade".  I served in the US military...anyone in their right mind does not want to use something that's "military grade", given that whatever it is produced by the lowest bidder.

I don't know.

Lowest bidder is relative, I remember an old joke where a general of the Pentagon makes a press conference and says to the journalists something like "You guys should stop publishing all this nonsense about  eccessive expenses for army supplies. We only procure stuff through competitive bids and everything is transparent and documented."

And - while the journalists are leaving the room - "Please leave the pencils and notebooks you were given on the desk, they cost US$ 10,000 apiece".

jaclaz 

 
Posted : 08/10/2020 9:36 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 
Posted by: @confusedyoungman

I'm learning more about Internet Forensics as a way to pass the time during the lovely pandemic. I'm getting the very basics together l

Pagefile is one of the places, where you can find short living artifacts. Some evidence inside this file does not survive two reboots. There are a lot of other artifacts, where evidence is stored much longer and much easier to detect and explain.

Pagefile might contain fragements of the clipboard or some IP adresses... I am investigating pagefile.sys as one of the last artifacts. hiberfil.sys is much more interesting, but again only for short living artifacts.

 

regards,

Robin

 
Posted : 08/10/2020 11:17 am
trewmte reacted
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 

@bunnysniper

Thanks for the reply. Is there a general timeframe for much longer? If some artefacts are lost after two reboots would you expect to find artefacts that last longer than a month or a year or is there no timeframe at all? If pagefile.sys is the last place you look what's the first?

 
Posted : 09/10/2020 2:05 am
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 

@jaclaz

You are the man that made it much clearer. Would the pagefile.sys be more useful for finding evidence of something that you already suspect like the cp case above? And then the only thing I'm not 100 % clear on is the timescale you'd expect to find artefacts dating back on. Another poster says some is lost after two reboots so would any remain after 10,20,50 etc. Or is there no way to know? 

This post was modified 3 years ago by confusedyoungman
 
Posted : 09/10/2020 2:13 am
(@trewmte)
Posts: 1877
Noble Member
 
Posted by: @confusedyoungman

And then the only thing I'm not 100 % clear on is the timescale you'd expect to find artefacts dating back on. Another poster says some is lost after two reboots so would any remain after 10,20,50 etc. Or is there no way to know? 

This is a very interesting question. I have dozens of books on computer and digital forensics and evidence and interestingly I didn't find a timeline along the path you are suggesting. I am not suggesting the question hasn't been asked and answered previously, but without going through every archive I have, I suspect @confusedyoungman you have asked a question that needs a more informed answer. Or in the alternative perhaps if you find the answer comeback to FF and let us know. Perhaps a single page of summary on your findings. 

@Bunnysniper's comments I thought helpful to you regarding two reboots. Combined with your enquiry and Bunnysniper's response I ran a quick search from my first-level library and post a number of screen shots from various publications I thought outlined some useful investigation  points that might assist you. Lastly, I have Gruhn and Windsheim 2016 paper that goes into detail about pagefile and pagefile.sys but it is too long to screen shot all relevant pages.

Main Gallery
https://postimg.cc/gallery/GcXpdzs

<a href="https://postimg.cc/4K26dqVj" target="_blank"><img src="https://i.postimg.cc/4K26dqVj/Pagefile1.png" alt="Pagefile1"/></a><br/><br/>
<a href="https://postimg.cc/kVgN7q6x" target="_blank"><img src="https://i.postimg.cc/kVgN7q6x/Pagefile2.png" alt="Pagefile2"/></a><br/><br/>
<a href="https://postimg.cc/7J00KLdy" target="_blank"><img src="https://i.postimg.cc/7J00KLdy/Pagefile3.png" alt="Pagefile3"/></a><br/><br/>
<a href="https://postimg.cc/CzCbDzbG" target="_blank"><img src="https://i.postimg.cc/CzCbDzbG/Pagefile4.png" alt="Pagefile4"/></a><br/><br/>
<a href="https://postimg.cc/D83q8q4f" target="_blank"><img src="https://i.postimg.cc/D83q8q4f/Pagefile5.png" alt="Pagefile5"/></a><br/><br/>
<a href="https://postimg.cc/wyths2kM" target="_blank"><img src="https://i.postimg.cc/wyths2kM/Pagefile6.png" alt="Pagefile6"/></a><br/><br/>
<a href="https://postimg.cc/5jCB4P0k" target="_blank"><img src="https://i.postimg.cc/5jCB4P0k/Pagefile7.png" alt="Pagefile7"/></a><br/><br/>
<a href="https://postimg.cc/Snq7tWm1" target="_blank"><img src="https://i.postimg.cc/Snq7tWm1/Pagefile8.png" alt="Pagefile8"/></a><br/><br/>

 
Posted : 09/10/2020 8:09 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @confusedyoungman

@jaclaz

You are the man that made it much clearer. Would the pagefile.sys be more useful for finding evidence of something that you already suspect like the cp case above? And then the only thing I'm not 100 % clear on is the timescale you'd expect to find artefacts dating back on. Another poster says some is lost after two reboots so would any remain after 10,20,50 etc. Or is there no way to know? 

Basically there is no real way to know, as different Windows version may behave differently and the setting the pagefile to "managed by Windows" vs. "fixed size" will most probably make a difference AND nowadays the actual usage of pagefile - due to the increase of "common" large amounts of installed RAM is very likely 0 or very little.

BTW, my compliments, you nailed at second attempt the second (after the *needed* overwrites) most misunderstood topic around. (i.e. what is the pagefile for, how to set it up and how it is used by the OS).

Some reference for you to read (not related to forensics):
http://reboot.pro/topic/22361-suggestions-for-32gb-system/

jaclaz

 

 

 

 
Posted : 09/10/2020 9:06 am
(@trewmte)
Posts: 1877
Noble Member
 

<a href="https://postimg.cc/4K26dqVj" target="_blank"><img src="https://i.postimg.cc/4K26dqVj/Pagefile1.png"
alt="Pagefile1"/></a><br/><br/>

 

@confusedyoungman just to be clear what I am saying. In the first thumbnail image  from my earlier post it identifies the following  ClearPageFileAtShutdown REG_DWORD 0x00000000

Value Meaning

0

Inactive pages are not filled with zeros.

1

Inactive pages are filled with zeros.

 

'Value 0' - I am assuming that your target DUT has been set to this value.

Hopefully, there is nothing stopping you checking REGEDIT or in the alternative look for the settings in Group Policy Editor to find out.

Running tests on a test DUT might help you determine how many reboot attempts are required before loss of pagefile remnants.

 

 
Posted : 09/10/2020 1:00 pm
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 
Posted by: @jaclaz

Basically there is no real way to know, as different Windows version may behave differently and the setting the pagefile to "managed by Windows" vs. "fixed size" will most probably make a difference AND nowadays the actual usage of pagefile - due to the increase of "common" large amounts of installed RAM is very likely 0 or very little.

BTW, my compliments, you nailed at second attempt the second (after the *needed* overwrites) most misunderstood topic around. (i.e. what is the pagefile for, how to set it up and how it is used by the OS).

Some reference for you to read (not related to forensics):
http://reboot.pro/topic/22361-suggestions-for-32gb-system/

jaclaz

 

I had assumed there would be no real answer to how long. What would surprise you in terms of how old an artefact is? 2 years? I downloaded FTK imager and the Belkasoft Evidence Center trail version. There are a lot of urls from last month and virtually none from August but my PC was newly built in August.

Would there being very little actual usage now mean that artefacts that are present in the pagefile.sys are in there longer because things aren't being swapped out as frequently?

 
Posted : 09/10/2020 6:59 pm
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 
Posted by: @trewmte
Posted by: @confusedyoungman

And then the only thing I'm not 100 % clear on is the timescale you'd expect to find artefacts dating back on. Another poster says some is lost after two reboots so would any remain after 10,20,50 etc. Or is there no way to know? 

This is a very interesting question. I have dozens of books on computer and digital forensics and evidence and interestingly I didn't find a timeline along the path you are suggesting. I am not suggesting the question hasn't been asked and answered previously, but without going through every archive I have, I suspect @confusedyoungman you have asked a question that needs a more informed answer.

Ignorance sometimes leads to good questions lol

 

 
Posted : 09/10/2020 7:01 pm
Page 2 / 5
Share: