Pagefile.sys questi...
 
Notifications
Clear all

Pagefile.sys question  

Page 3 / 4
  RSS
jaclaz
(@jaclaz)
Community Legend

#1 OK.

#2 yes and no. It may contain "random" 4 KB chunks of data (memory pages) coming from RAM. (whether they are "artefacts" that may be linked to this or that program running and/or to this or that website, chat or *whatever* is another thing and this hypothetical attribution may be in the eyes of the beholder).

#3 OK

#4 OK

Answer to side question #4: It depends. Likely no, maybe yes.

I know how the above answer is not definitive, but that is how a lot of things go when you are dealing with "random" fragments copied by unknown reasons when unknown conditions are met by means of a mechanism which is highly susceptible to numberless variables.

In these cases it is the other way round, if it is there, it is there, and if it isn't there it isn't there.

Then, the question moves to "is it possible that it is there" or "is it possible that it isn't there" because of the "normal"[1] usage and behaviour of the OS.

 

jaclaz

[1] and "normal" is not fully defined.

ReplyQuote
Posted : 12/10/2020 9:22 am
confusedyoungman
(@confusedyoungman)
New Member

@jaclaz

Probable not but maybe so is a good summation of most of my questions lol. Glad to know I'm good on 3/4

It you expand on point two a bit or perhaps dumbing down for me is needed. Are you saying not only so they not contain readable posts as I came in assuming but that the random 4KB may not even be able to be linked to a file/site/chat/whatever?

ReplyQuote
Posted : 12/10/2020 9:33 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @confusedyoungman

It you expand on point two a bit or perhaps dumbing down for me is needed. Are you saying not only so they not contain readable posts as I came in assuming but that the random 4KB may not even be able to be linked to a file/site/chat/whatever?

Yep, you have a number of 4KB pages that may (or may not) be part of a contiguous "set" of pages and/or that may (or may not) provide means to "connect" to a following page and that may (or may not) be linked (for sure) to this or that program (or website or *whatever*). 

As long as a "post" does fit in 4 KB (it does, rest assured) there is no reason why it cannot be found (IF it is there), and - still if it is there - it may well be plainly readable. (maybe better said, if it is there it can be found only if it is readable, as if it is not readable it will be confused among "binary noise").

Go back and do read the suggested article:
http://www.bluekaizen.org/virtual-memory-basics-why-look-at-pagefile-sys/

it is clearly written and has nice images, I don't think it is too difficult to follow.

jaclaz

ReplyQuote
Posted : 12/10/2020 6:45 pm
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz

Yep, you have a number of 4KB pages that may (or may not) be part of a contiguous "set" of pages and/or that may (or may not) provide means to "connect" to a following page and that may (or may not) be linked (for sure) to this or that program (or website or *whatever*). 

As long as a "post" does fit in 4 KB (it does, rest assured) there is no reason why it cannot be found (IF it is there), and - still if it is there - it may well be plainly readable. (maybe better said, if it is there it can be found only if it is readable, as if it is not readable it will be confused among "binary noise").

Go back and do read the suggested article:
http://www.bluekaizen.org/virtual-memory-basics-why-look-at-pagefile-sys/

it is clearly written and has nice images, I don't think it is too difficult to follow.

jaclaz

'The protected mode architecture keeps track of the status of each page and knows if a page is “dirty,” meaning that it has been modified since being loaded into RAM.'

The only thing here I need clarification on is this, what exactly is meant by modified? 

ReplyQuote
Posted : 12/10/2020 11:18 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @confusedyoungman

'The protected mode architecture keeps track of the status of each page and knows if a page is “dirty,” meaning that it has been modified since being loaded into RAM.'

The only thing here I need clarification on is this, what exactly is meant by modified? 

The page  is loaded from hard disk into (say) page #12345 of RAM.

Then it is read (for whatever reasons it needs to be read) but it may also need to be written to (modified), if it is modified a "dirty" flag is set.

At a certain point contents of page #12345 of RAM are not needed any more (as they have already been "used" for the whatever use it as needed by the program).

Then, actual page #12345 (the area in RAM) is needed (to write to it new data)

There are two possibilities:
1) the page has only been read
2) the page has been read AND written to (modified)

In case #1 it would make no sense to copy it back to hard disk, in case #2 it may actually be needed (not necessarily as it could be discarded anyway, but that depends on the actual program running).

The dirty flag (actually its absence) allows the computer to re-use a page without needing to "ask to the program" if changes  are to be committed to hard disk.

You can think of this "flag" as a sign posted on a box in a storage space with "do not throw away, ask the janitor first".

jaclaz

 

 

ReplyQuote
Posted : 13/10/2020 9:27 am
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz

The page  is loaded from hard disk into (say) page #12345 of RAM.

Then it is read (for whatever reasons it needs to be read) but it may also need to be written to (modified), if it is modified a "dirty" flag is set.

At a certain point contents of page #12345 of RAM are not needed any more (as they have already been "used" for the whatever use it as needed by the program).

Then, actual page #12345 (the area in RAM) is needed (to write to it new data)

There are two possibilities:
1) the page has only been read
2) the page has been read AND written to (modified)

In case #1 it would make no sense to copy it back to hard disk, in case #2 it may actually be needed (not necessarily as it could be discarded anyway, but that depends on the actual program running).

The dirty flag (actually its absence) allows the computer to re-use a page without needing to "ask to the program" if changes  are to be committed to hard disk.

jaclaz

 

 

I had misread the article and thought that only pages that had been modified went to the Hard drive (didn't see the word back), that'll teach me to read anything more complicated than game of thrones late at night.

What is meant by modified? I understand that this is probably a painfully simple question. Is it just like something or anything on the page is changed?  

This post was modified 2 months ago by confusedyoungman
ReplyQuote
Posted : 13/10/2020 9:44 am
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz

You are a Law student, aren't you?

Your questions should be (I am picky):

Why does Belkasoft Evidence Center only categorize as originated by Chrome some pictures and url's but not any text?

 

jaclaz

So I've done more research on the Belkasoft Evidence Center in regards to text and this is want I've come up with. It is quite hard to identify text in a byte stream, and even harder to determine the application created the text, even when the text is indeed stored in memory. It is only available when the application has a singular signature and a well-known structure of data stored in memory. It is seldom the case so even if the text exists it would be difficult to be identified for what it is. Would you say that's a correct summation. 

ReplyQuote
Posted : 14/10/2020 7:32 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @confusedyoungman
So I've done more research on the Belkasoft Evidence Center in regards to text and this is want I've come up with. It is quite hard to identify text in a byte stream, and even harder to determine the application created the text, even when the text is indeed stored in memory. It is only available when the application has a singular signature and a well-known structure of data stored in memory. It is seldom the case so even if the text exists it would be difficult to be identified for what it is. Would you say that's a correct summation. 

Yep, and this applies not only to plain text, but also to other (recognizable) "snippets".

There are different levels of "certainty", i.e. if something is found, it is found (i.e. it certainly exists), then "patterns" in the memory structures (around the found "snippet") may (or may not) allow to attribute it to the running of this (or that) program with a certain level of confidence.

The same thing may apply - even more generally - to whole files (on disk) sporting a "common" format, not only plain text, i.e. you find the file but you cannot be sure which program was used to access/create/modify it.

jaclaz

ReplyQuote
Posted : 14/10/2020 9:16 am
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz
Posted by: @confusedyoungman
So I've done more research on the Belkasoft Evidence Center in regards to text and this is want I've come up with. It is quite hard to identify text in a byte stream, and even harder to determine the application created the text, even when the text is indeed stored in memory. It is only available when the application has a singular signature and a well-known structure of data stored in memory. It is seldom the case so even if the text exists it would be difficult to be identified for what it is. Would you say that's a correct summation. 

Yep, and this applies not only to plain text, but also to other (recognizable) "snippets".

There are different levels of "certainty", i.e. if something is found, it is found (i.e. it certainly exists), then "patterns" in the memory structures (around the found "snippet") may (or may not) allow to attribute it to the running of this (or that) program with a certain level of confidence.

The same thing may apply - even more generally - to whole files (on disk) sporting a "common" format, not only plain text, i.e. you find the file but you cannot be sure which program was used to access/create/modify it.

jaclaz

Is the the Belkasoft Evidence Center the nest software for analysing the pagefile,sys?

Also a tangent that entered my head. Is a pagefile.sys used the same with servers? Like with a chatroom server that is used 24/7 is there so much information going through it that nothing would last long before being overwritten.

ReplyQuote
Posted : 15/10/2020 8:22 am
jaclaz
(@jaclaz)
Community Legend

No idea about Belkasoft being best or if there are other (better) software.

About servers I would hope that they are dimensioned (and their software configured) in such a way that use of the pagefile is at a minimum.

But it doesn't change the result, both if the pagefile is not used or if it is used a lot, chances of finding the specific info you are looking for are very low, it becomes a sort of  birthday paradox in the "same birthday as you" special case:

https://en.wikipedia.org/wiki/Birthday_problem#Same_birthday_as_you

jaclaz

ReplyQuote
Posted : 15/10/2020 6:19 pm
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz

No idea about Belkasoft being best or if there are other (better) software.

About servers I would hope that they are dimensioned (and their software configured) in such a way that use of the pagefile is at a minimum.

But it doesn't change the result, both if the pagefile is not used or if it is used a lot, chances of finding the specific info you are looking for are very low, it becomes a sort of  birthday paradox in the "same birthday as you" special case:

https://en.wikipedia.org/wiki/Birthday_problem#Same_birthday_as_you

jaclaz

Thanks for all the info lad. I came in asking whether a pagefile.sys was a good way to find evidence of chat rooms/forums to which I got an answer practically no, Belkasoft  say they don't no do not extract "texts" like that from browsers at all. But you've taught me a lot more that I initially came in looking for thank you

ReplyQuote
Posted : 17/10/2020 1:51 pm
Bunnysniper
(@bunnysniper)
Active Member
Posted by: @confusedyoungman

@bunnysniper

Thanks for the reply. Is there a general timeframe for much longer? If some artefacts are lost after two reboots would you expect to find artefacts that last longer than a month or a year or is there no timeframe at all? If pagefile.sys is the last place you look what's the first?

At first, please make yourself clear what pagefile.sys is and where it comes from. "Once upon a time"...I bought 64 MB of RAM for my Intel 386 and paid round about 200 DM (Deutsche Mark - this currency does not even exist any longer) for it. So everyone was happy that you could extend your memory to the much cheaper hard drive into a pagefile, but the hard drive access was much much slower. And every time you played "Doom" at this time, the Windows OS swapped some memory content from the physical memory to the hard drive and back, when needed. This is how fragments of memory content can get into a pagefile. And if you do not need a lot of memory again, some fragments will survive longer. Other fragments of memory will stay there only for minutes, until an application needs much more memory than available and overwrites old memory content with new memory content. This makes pagefile.sys somehow valuable for a digital forensic investigation, but unreliable at the same time. Today, modern system have plenty of memory and do not use the pagefile since they have plenty of fast memory. Some system admins reduce it to the minimum size of IIRC 16MB to prevent swapping at all.

Better artifacts? Depends on the case, the affected operating system and what the story of the incident is. Believe it or not, sometimes you cannot miss the evidence when having a look into the windows event log files. If you want to look for execution artifacts, amcache, prefetch and shimcache usually do the job. And there a much more locations to look for... hire a professional if you need one.

 

regards,

Robin

ReplyQuote
Posted : 19/10/2020 10:38 am
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @bunnysniper

At first, please make yourself clear what pagefile.sys is and where it comes from. "Once upon a time"...I bought 64 MB of RAM for my Intel 386 and paid round about 200 DM (Deutsche Mark - this currency does not even exist any longer) for it. So everyone was happy that you could extend your memory to the much cheaper hard drive into a pagefile, but the hard drive access was much much slower. And every time you played "Doom" at this time, the Windows OS swapped some memory content from the physical memory to the hard drive and back, when needed. This is how fragments of memory content can get into a pagefile. And if you do not need a lot of memory again, some fragments will survive longer. Other fragments of memory will stay there only for minutes, until an application needs much more memory than available and overwrites old memory content with new memory content. This makes pagefile.sys somehow valuable for a digital forensic investigation, but unreliable at the same time. Today, modern system have plenty of memory and do not use the pagefile since they have plenty of fast memory. Some system admins reduce it to the minimum size of IIRC 16MB to prevent swapping at all.

Better artifacts? Depends on the case, the affected operating system and what the story of the incident is. Believe it or not, sometimes you cannot miss the evidence when having a look into the windows event log files. If you want to look for execution artifacts, amcache, prefetch and shimcache usually do the job. And there a much more locations to look for... hire a professional if you need one.

 

regards,

Robin

Thanks for the response, I came in asking whether a pagefile.sys was a good way to find evidence of chat rooms/forums to which I got an answer practically no, Belkasoft  say they don't no do not extract "texts" like that from browsers at all. But another user explained more what the pagefile.sys was and why my original question was unlikely, I feel I've a much better grasp on it.

ReplyQuote
Posted : 22/10/2020 6:17 pm
confusedyoungman
(@confusedyoungman)
New Member
Posted by: @jaclaz

 

 

Sorry to bother you again, I've decided to use the use computer forensics as the basis for my criminal law end of year paper. It will mostly focus around temporary files. I want to use my original uneducated question of whether the pagefile.sys can be used to read the text forum posts or chat logs as a small section of the paper under limitations. We've established that it is possible if extremely unlikely. I contacted both belksoft and magnet axiom (who from what I can tell would be the main software in terms of pagefile analysis) and both said their software wouldn't looked for that kind of artefact. Do you know of any other software that might? Just so I can compressively say that it is such a long shot that most computer software for forensics doesn't even consider looking for it.

 

This post was modified 3 weeks ago by confusedyoungman
ReplyQuote
Posted : 06/11/2020 8:38 pm
jaclaz
(@jaclaz)
Community Legend

The pagefile.sys is a semi-random sequence of (ex-memory)"pages", i.e. a semi-random sequence of 4 KB "blocks".

As such it is not in any way (apart the order of the sequence of these blocks) different from "RAW" data, i.e. it can be carved exactly like *any* RAW data, only as an example it is not in any way different from carving (fragmented) unallocated data on a disk for text.

*like*:

https://www.forensicfocus.com/forums/forensic-software/carving-software-for-txt-files/

Since texts (text files) are headerless and footerless (and have no particular "signature") there is no "known format" to look for, so the carving has to be based on contents, basically it is "string extraction", and an hypothetical attribution to this (or that) program can only be indirect and based on content and context.

jaclaz

 

 

ReplyQuote
Posted : 07/11/2020 10:03 am
Page 3 / 4
Share: