Pagefile.sys questi...
 
Notifications
Clear all

Pagefile.sys question  

Page 2 / 4
  RSS
trewmte
(@trewmte)
Community Legend
Posted by: @confusedyoungman

And then the only thing I'm not 100 % clear on is the timescale you'd expect to find artefacts dating back on. Another poster says some is lost after two reboots so would any remain after 10,20,50 etc. Or is there no way to know? 

This is a very interesting question. I have dozens of books on computer and digital forensics and evidence and interestingly I didn't find a timeline along the path you are suggesting. I am not suggesting the question hasn't been asked and answered previously, but without going through every archive I have, I suspect @confusedyoungman you have asked a question that needs a more informed answer. Or in the alternative perhaps if you find the answer comeback to FF and let us know. Perhaps a single page of summary on your findings. 

@Bunnysniper's comments I thought helpful to you regarding two reboots. Combined with your enquiry and Bunnysniper's response I ran a quick search from my first-level library and post a number of screen shots from various publications I thought outlined some useful investigation  points that might assist you. Lastly, I have Gruhn and Windsheim 2016 paper that goes into detail about pagefile and pagefile.sys but it is too long to screen shot all relevant pages.

Main Gallery
https://postimg.cc/gallery/GcXpdzs

Pagefile1


Pagefile2


Pagefile3


Pagefile4


Pagefile5


Pagefile6


Pagefile7


Pagefile8

ReplyQuote
Posted : 09/10/2020 9:09 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @confusedyoungman

@jaclaz

You are the man that made it much clearer. Would the pagefile.sys be more useful for finding evidence of something that you already suspect like the cp case above? And then the only thing I'm not 100 % clear on is the timescale you'd expect to find artefacts dating back on. Another poster says some is lost after two reboots so would any remain after 10,20,50 etc. Or is there no way to know? 

Basically there is no real way to know, as different Windows version may behave differently and the setting the pagefile to "managed by Windows" vs. "fixed size" will most probably make a difference AND nowadays the actual usage of pagefile - due to the increase of "common" large amounts of installed RAM is very likely 0 or very little.

BTW, my compliments, you nailed at second attempt the second (after the *needed* overwrites) most misunderstood topic around. (i.e. what is the pagefile for, how to set it up and how it is used by the OS).

Some reference for you to read (not related to forensics):
http://reboot.pro/topic/22361-suggestions-for-32gb-system/

jaclaz

 

 

 

ReplyQuote
Posted : 09/10/2020 10:06 am
trewmte
(@trewmte)
Community Legend

alt="Pagefile1"/>

 

@confusedyoungman just to be clear what I am saying. In the first thumbnail image  from my earlier post it identifies the following  ClearPageFileAtShutdown REG_DWORD 0x00000000

Value Meaning

0

Inactive pages are not filled with zeros.

1

Inactive pages are filled with zeros.

 

'Value 0' - I am assuming that your target DUT has been set to this value.

Hopefully, there is nothing stopping you checking REGEDIT or in the alternative look for the settings in Group Policy Editor to find out.

Running tests on a test DUT might help you determine how many reboot attempts are required before loss of pagefile remnants.

 

ReplyQuote
Posted : 09/10/2020 2:00 pm
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz

Basically there is no real way to know, as different Windows version may behave differently and the setting the pagefile to "managed by Windows" vs. "fixed size" will most probably make a difference AND nowadays the actual usage of pagefile - due to the increase of "common" large amounts of installed RAM is very likely 0 or very little.

BTW, my compliments, you nailed at second attempt the second (after the *needed* overwrites) most misunderstood topic around. (i.e. what is the pagefile for, how to set it up and how it is used by the OS).

Some reference for you to read (not related to forensics):
http://reboot.pro/topic/22361-suggestions-for-32gb-system/

jaclaz

 

I had assumed there would be no real answer to how long. What would surprise you in terms of how old an artefact is? 2 years? I downloaded FTK imager and the Belkasoft Evidence Center trail version. There are a lot of urls from last month and virtually none from August but my PC was newly built in August.

Would there being very little actual usage now mean that artefacts that are present in the pagefile.sys are in there longer because things aren't being swapped out as frequently?

ReplyQuote
Posted : 09/10/2020 7:59 pm
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @trewmte
Posted by: @confusedyoungman

And then the only thing I'm not 100 % clear on is the timescale you'd expect to find artefacts dating back on. Another poster says some is lost after two reboots so would any remain after 10,20,50 etc. Or is there no way to know? 

This is a very interesting question. I have dozens of books on computer and digital forensics and evidence and interestingly I didn't find a timeline along the path you are suggesting. I am not suggesting the question hasn't been asked and answered previously, but without going through every archive I have, I suspect @confusedyoungman you have asked a question that needs a more informed answer.

Ignorance sometimes leads to good questions lol

 

ReplyQuote
Posted : 09/10/2020 8:01 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @confusedyoungman 

I had assumed there would be no real answer to how long. What would surprise you in terms of how old an artefact is? 2 years? I downloaded FTK imager and the Belkasoft Evidence Center trail version. There are a lot of urls from last month and virtually none from August but my PC was newly built in August.

Would there being very little actual usage now mean that artefacts that are present in the pagefile.sys are in there longer because things aren't being swapped out as frequently?

Actually nothing would surprise me, in the sense that (random example) you get a new laptop with a small amount of RAM (where the pagefile is needed AND is used) and a largish pagefile, you use it for a few days browsing the web opening tens or hundreds of pages (that will likely go - in parts - to the pagefile) then you understand how you really need that extra (say) 8 GB stick of RAM, install it, do not change anything in the pagefile settings and then - for some reasons - you use the laptop offline only to write your next novel (yes the one that takes years to write and that you will never finish).

In such a scenario the browsing data that originally was swapped to the pagefile will still be there after years, as nothing will overwrite it.

In the real world, it is more likely that - before or later - you will update your browser or use a new experimental one, and that it will crash starting to eat memory (and thus filling up to the brim the pagefile) untill the whole OS crashes.

jaclaz

ReplyQuote
Posted : 10/10/2020 9:31 am
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz

In such a scenario the browsing data that originally was swapped to the pagefile will still be there after years, as nothing will overwrite it.

In the real world, it is more likely that - before or later - you will update your browser or use a new experimental one, and that it will crash starting to eat memory (and thus filling up to the brim the pagefile) untill the whole OS crashes.

jaclaz

Yeah that makes sense, My parents had an old dell dimension 4600 from when I was a kid with 2gb RAM. That would make extensive use of the pagefile.sys due to the small amount of RAM whereas my current PC with 16GB or RAM would make much less use of it. So evidence of artefacts would remain in my current pagefile.sys longer than my parents back in the day due to reduced use? Is all that correct?

 

So I used FTK imager and the Belkasoft Evidence Center trail version and I've a few questions about the results. It returned several artefacts from browsers called Tor and Opera but I've never used anything other than Chrome. It had evidence of skype message from 2013 but I bought the RAM two months ago and have never used skype.

 

It has no evidence of anything from a website that I've visited bar urls and pictures so my original idea that it could be used to find evidence of chatroom/forum posts was way wrong haha unless those are what 'other files' are https://imgur.com/a/nbGyA5C.

 

Thanks for taking the time to continue this conversation I am learning alot.

ReplyQuote
Posted : 10/10/2020 5:36 pm
jaclaz
(@jaclaz)
Community Legend

Yep, of course it depends on the OS and on the specific usage.

But how these (longer lasting) artefacts would manage to get into the pagefile?

More or less, set aside "graphical" programs/activities like video editing, high resolution photography/imaging/retouching, 3d modeling and rendering, all normally used program on a PC BUT the browser (and only partially due to the browser itself, largely because of the crapload of stuff that web sites send) will only use a very small amount of memory so the pagefile is really rarely or never hit in adequate machines.

To give you some numerical example, on your old dell a properly configured pagefile would have been 2 to 2.5 the amount of RAM, so total memory on the machine would have been 4 to 5 GB.

But at the time most machines had 1 or 2 GB of RAM, 4 GB was rare (as 32 bit was prevalent and only few motherboards could access more than 3.5 GB of RAM).

A "normal" machine today (anything that you find at the lower price end, let's say 40% of the market) has 4 GB of RAM and the pagefile would be 1x, i.e. total 8 GB.

A less common machine (mid-range, let's say another 40% of the market) would have 8 GB of RAM and still the pagefile would be 1x, so total 16 GB.

Your 16 GB laptop (at the lower end of "top-range", which again probably has a 1x pagefile, so 32 GB total) would have a "in use" pagefile if - and only if - the 4GB machines constantly crashed for lack of memory and the 8 GB ones sometimes crashed and constantly slowed down (more or less noticeably depending on the storage  media) when in use due to swapping.

Since it is not like this is  happening ...   

jaclaz

ReplyQuote
Posted : 10/10/2020 6:33 pm
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz

Yep, of course it depends on the OS and on the specific usage.

But how these (longer lasting) artefacts would manage to get into the pagefile?

More or less, set aside "graphical" programs/activities like video editing, high resolution photography/imaging/retouching, 3d modeling and rendering, all normally used program on a PC BUT the browser (and only partially due to the browser itself, largely because of the crapload of stuff that web sites send) will only use a very small amount of memory so the pagefile is really rarely or never hit in adequate machines.

 

jaclaz

I actually don't know if 2GB of RAM was accurate for my parents old pc it could have been less.

So the browser is the only normally used program on a PC to use the pagefile.sys are there specific artefacts from the browser that would be more likely to be send to the pagefile? Like my search on my own showed images (your avatar for one haha)/urls/search results but nothing like emails or text based at all. Is that just the software I'm using?

I realized that my question on what would surprise you above was far to broad. That is actually what dawned on me the most during this discussion that I'm thinking in far too broad of terms. So taking my parent's pc as an example which would used for internet browsing and itunes. Rebooted every day and used for roughly 4 hours would you be surprised to see artefacts from a year previous? from 5 years previous?

ReplyQuote
Posted : 11/10/2020 4:25 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @confusedyoungman

I actually don't know if 2GB of RAM was accurate for my parents old pc it could have been less.

So the browser is the only normally used program on a PC to use the pagefile.sys are there specific artefacts from the browser that would be more likely to be send to the pagefile? Like my search on my own showed images (your avatar for one haha)/urls/search results but nothing like emails or text based at all. Is that just the software I'm using?

I realized that my question on what would surprise you above was far to broad. That is actually what dawned on me the most during this discussion that I'm thinking in far too broad of terms. So taking my parent's pc as an example which would used for internet browsing and itunes. Rebooted every day and used for roughly 4 hours would you be surprised to see artefacts from a year previous? from 5 years previous?

No idea for a prediction, there are too many factors involved, one day an issue with a stupid web site makes the browser fill the pagefile, then for one year all programs behave (and so at least some of the data remains in the pagefile) then one day something crashes and the pagefile is overwritten with new data. All I can say is that with a relatively low amount of RAM there are less probabilities to find something "old" (a it is more likely that the pagefile is used more often) whilst with relatively large amounts of RAM data may survive more time BUT the data probably never went there in the first instance.

jaclaz

ReplyQuote
Posted : 11/10/2020 8:50 am
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz

No idea for a prediction, there are too many factors involved, one day an issue with a stupid web site makes the browser fill the pagefile, then for one year all programs behave (and so at least some of the data remains in the pagefile) then one day something crashes and the pagefile is overwritten with new data. All I can say is that with a relatively low amount of RAM there are less probabilities to find something "old" (a it is more likely that the pagefile is used more often) whilst with relatively large amounts of RAM data may survive more time BUT the data probably never went there in the first instance.

jaclaz

Ah yeah I get ya. Do you have any idea why Belkasoft Evidence Center is showing artefacts from browsers/instant messengers I've never used or had on my PC at all? Also from the chrome browser the only artefacts seem to be pictures and urls is that normal? 

ReplyQuote
Posted : 11/10/2020 9:16 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @confusedyoungman

Do you have any idea why Belkasoft Evidence Center is showing artefacts from browsers/instant messengers I've never used or had on my PC at all? Also from the chrome browser the only artefacts seem to be pictures and urls is that normal? 

You are a Law student, aren't you?

Your questions should be (I am picky):

Why does Belkasoft Evidence Center attribute to browsers/instant messengers that were never used presumed artefacts it carved from pagefile.sys?

Why does Belkasoft Evidence Center only categorize as originated by Chrome some pictures and url's but not any text?

The reworded questions seem very similar, but they are not.

Read more (only seemingly unrelated) about carving and different results with different tools:

https://www.forensicfocus.com/forums/forensic-software/recommendations-for-carving-software/

jaclaz

ReplyQuote
Posted : 11/10/2020 1:15 pm
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz
Posted by: @confusedyoungman

Do you have any idea why Belkasoft Evidence Center is showing artefacts from browsers/instant messengers I've never used or had on my PC at all? Also from the chrome browser the only artefacts seem to be pictures and urls is that normal? 

You are a Law student, aren't you?

Your questions should be (I am picky):

Why does Belkasoft Evidence Center attribute to browsers/instant messengers that were never used presumed artefacts it carved from pagefile.sys?

Why does Belkasoft Evidence Center only categorize as originated by Chrome some pictures and url's but not any text?

The reworded questions seem very similar, but they are not.

Read more (only seemingly unrelated) about carving and different results with different tools:

https://www.forensicfocus.com/forums/forensic-software/recommendations-for-carving-software/

jaclaz

Haha those are much more academically pointed questions you are correct. I'll read the links in the thread provided thank you. And see if I have the intellectual capacity to answer the new questions.

One completely unrelated question that I'd like confirmed or rubbished and I'll stop bother you. I read that your IP address often changes and that ISP's only retain records for 90 days, does that mean that if you had an IP address for an email address that it would be useless for tracking unless they logged in with a new IP?

This post was modified 1 month ago by confusedyoungman
ReplyQuote
Posted : 11/10/2020 1:31 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @confusedyoungman
One completely unrelated question that I'd like confirmed or rubbished and I'll stop bother you. I read that your IP address often changes and that ISP's only retain records for 90 days, does that mean that if you had an IP address for an email address that it would be useless for tracking unless they logged in with a new IP?

It depends on ISP, country, contract, type of connection, etc.

In EU most IP's are static AFAIK, while in the USA they are (for home connections) more commonly dynamic,  but neither are to be taken as given, some connection do have dynamic IP's but they are only renewed on disconnection (which nowadays often means only when resetting your router).

Same goes for traffic data retention, what is stored and for how long may depend on the country Laws but also on the specific ISP's policies. 

jaclaz

ReplyQuote
Posted : 11/10/2020 3:19 pm
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz

 

I've come to terms with not having the technical knowledge to understand why the Belkasoft Evidence Center isn't returning any text artefacts lol.

To summarise what I've learnt in four points.

1) The Pagefile.sys is space on the hard drive used to increase memory space in the event that more memory is needed that the RAM can provide. Fragments of pages moved to pagefile to stop the system crashing.

2) It wont contain full files or copies of webpages but rather artefacts that show access to a file or webpage or evidence it has been viewed. So you wouldn't be able to read a chat/forum post from a browser but would be able to see they visited the site, had the site ip address. 

3)The larger the RAM the less likely the pagefile is used but the longer artefacts will remain in pagefile before being overwritten due to this lessened usage. It is unlikely artefacts would last years due either 1. not being present at all due to large RAM or 2. Smaller RAM so more consistent overwriting.

4) There is no expected timeline on how long it would take the pagefile.sys to fully overwrite because it does so in different pieces and not in order. Malfunctions in the browser can cause the pagefile to fill at any time adding a variable that makes estimated timing improbable. (Actually one more question here if the browser behaved normally and with 2GB RAM and the same usage as discussed above i.e 2-4 hours a day browsing would you guess that artefacts written to the pagefile.sys in jan 2010 would be present in jan 2011)

Would you say that those four points are broadly correct?

This post was modified 1 month ago 4 times by confusedyoungman
ReplyQuote
Posted : 12/10/2020 2:40 am
Page 2 / 4
Share: