Pagefile.sys questi...
 
Notifications
Clear all

Pagefile.sys question

46 Posts
5 Users
1 Likes
7,527 Views
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @confusedyoungman 

I had assumed there would be no real answer to how long. What would surprise you in terms of how old an artefact is? 2 years? I downloaded FTK imager and the Belkasoft Evidence Center trail version. There are a lot of urls from last month and virtually none from August but my PC was newly built in August.

Would there being very little actual usage now mean that artefacts that are present in the pagefile.sys are in there longer because things aren't being swapped out as frequently?

Actually nothing would surprise me, in the sense that (random example) you get a new laptop with a small amount of RAM (where the pagefile is needed AND is used) and a largish pagefile, you use it for a few days browsing the web opening tens or hundreds of pages (that will likely go - in parts - to the pagefile) then you understand how you really need that extra (say) 8 GB stick of RAM, install it, do not change anything in the pagefile settings and then - for some reasons - you use the laptop offline only to write your next novel (yes the one that takes years to write and that you will never finish).

In such a scenario the browsing data that originally was swapped to the pagefile will still be there after years, as nothing will overwrite it.

In the real world, it is more likely that - before or later - you will update your browser or use a new experimental one, and that it will crash starting to eat memory (and thus filling up to the brim the pagefile) untill the whole OS crashes.

jaclaz

 
Posted : 10/10/2020 8:31 am
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 
Posted by: @jaclaz

In such a scenario the browsing data that originally was swapped to the pagefile will still be there after years, as nothing will overwrite it.

In the real world, it is more likely that - before or later - you will update your browser or use a new experimental one, and that it will crash starting to eat memory (and thus filling up to the brim the pagefile) untill the whole OS crashes.

jaclaz

Yeah that makes sense, My parents had an old dell dimension 4600 from when I was a kid with 2gb RAM. That would make extensive use of the pagefile.sys due to the small amount of RAM whereas my current PC with 16GB or RAM would make much less use of it. So evidence of artefacts would remain in my current pagefile.sys longer than my parents back in the day due to reduced use? Is all that correct?

 

So I used FTK imager and the Belkasoft Evidence Center trail version and I've a few questions about the results. It returned several artefacts from browsers called Tor and Opera but I've never used anything other than Chrome. It had evidence of skype message from 2013 but I bought the RAM two months ago and have never used skype.

 

It has no evidence of anything from a website that I've visited bar urls and pictures so my original idea that it could be used to find evidence of chatroom/forum posts was way wrong haha unless those are what 'other files' are https://imgur.com/a/nbGyA5C.

 

Thanks for taking the time to continue this conversation I am learning alot.

 
Posted : 10/10/2020 4:36 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yep, of course it depends on the OS and on the specific usage.

But how these (longer lasting) artefacts would manage to get into the pagefile?

More or less, set aside "graphical" programs/activities like video editing, high resolution photography/imaging/retouching, 3d modeling and rendering, all normally used program on a PC BUT the browser (and only partially due to the browser itself, largely because of the crapload of stuff that web sites send) will only use a very small amount of memory so the pagefile is really rarely or never hit in adequate machines.

To give you some numerical example, on your old dell a properly configured pagefile would have been 2 to 2.5 the amount of RAM, so total memory on the machine would have been 4 to 5 GB.

But at the time most machines had 1 or 2 GB of RAM, 4 GB was rare (as 32 bit was prevalent and only few motherboards could access more than 3.5 GB of RAM).

A "normal" machine today (anything that you find at the lower price end, let's say 40% of the market) has 4 GB of RAM and the pagefile would be 1x, i.e. total 8 GB.

A less common machine (mid-range, let's say another 40% of the market) would have 8 GB of RAM and still the pagefile would be 1x, so total 16 GB.

Your 16 GB laptop (at the lower end of "top-range", which again probably has a 1x pagefile, so 32 GB total) would have a "in use" pagefile if - and only if - the 4GB machines constantly crashed for lack of memory and the 8 GB ones sometimes crashed and constantly slowed down (more or less noticeably depending on the storage  media) when in use due to swapping.

Since it is not like this is  happening ...   

jaclaz

 
Posted : 10/10/2020 5:33 pm
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 
Posted by: @jaclaz

Yep, of course it depends on the OS and on the specific usage.

But how these (longer lasting) artefacts would manage to get into the pagefile?

More or less, set aside "graphical" programs/activities like video editing, high resolution photography/imaging/retouching, 3d modeling and rendering, all normally used program on a PC BUT the browser (and only partially due to the browser itself, largely because of the crapload of stuff that web sites send) will only use a very small amount of memory so the pagefile is really rarely or never hit in adequate machines.

 

jaclaz

I actually don't know if 2GB of RAM was accurate for my parents old pc it could have been less.

So the browser is the only normally used program on a PC to use the pagefile.sys are there specific artefacts from the browser that would be more likely to be send to the pagefile? Like my search on my own showed images (your avatar for one haha)/urls/search results but nothing like emails or text based at all. Is that just the software I'm using?

I realized that my question on what would surprise you above was far to broad. That is actually what dawned on me the most during this discussion that I'm thinking in far too broad of terms. So taking my parent's pc as an example which would used for internet browsing and itunes. Rebooted every day and used for roughly 4 hours would you be surprised to see artefacts from a year previous? from 5 years previous?

 
Posted : 11/10/2020 3:25 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @confusedyoungman

I actually don't know if 2GB of RAM was accurate for my parents old pc it could have been less.

So the browser is the only normally used program on a PC to use the pagefile.sys are there specific artefacts from the browser that would be more likely to be send to the pagefile? Like my search on my own showed images (your avatar for one haha)/urls/search results but nothing like emails or text based at all. Is that just the software I'm using?

I realized that my question on what would surprise you above was far to broad. That is actually what dawned on me the most during this discussion that I'm thinking in far too broad of terms. So taking my parent's pc as an example which would used for internet browsing and itunes. Rebooted every day and used for roughly 4 hours would you be surprised to see artefacts from a year previous? from 5 years previous?

No idea for a prediction, there are too many factors involved, one day an issue with a stupid web site makes the browser fill the pagefile, then for one year all programs behave (and so at least some of the data remains in the pagefile) then one day something crashes and the pagefile is overwritten with new data. All I can say is that with a relatively low amount of RAM there are less probabilities to find something "old" (a it is more likely that the pagefile is used more often) whilst with relatively large amounts of RAM data may survive more time BUT the data probably never went there in the first instance.

jaclaz

 
Posted : 11/10/2020 7:50 am
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 
Posted by: @jaclaz

No idea for a prediction, there are too many factors involved, one day an issue with a stupid web site makes the browser fill the pagefile, then for one year all programs behave (and so at least some of the data remains in the pagefile) then one day something crashes and the pagefile is overwritten with new data. All I can say is that with a relatively low amount of RAM there are less probabilities to find something "old" (a it is more likely that the pagefile is used more often) whilst with relatively large amounts of RAM data may survive more time BUT the data probably never went there in the first instance.

jaclaz

Ah yeah I get ya. Do you have any idea why Belkasoft Evidence Center is showing artefacts from browsers/instant messengers I've never used or had on my PC at all? Also from the chrome browser the only artefacts seem to be pictures and urls is that normal? 

 
Posted : 11/10/2020 8:16 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @confusedyoungman

Do you have any idea why Belkasoft Evidence Center is showing artefacts from browsers/instant messengers I've never used or had on my PC at all? Also from the chrome browser the only artefacts seem to be pictures and urls is that normal? 

You are a Law student, aren't you?

Your questions should be (I am picky):

Why does Belkasoft Evidence Center attribute to browsers/instant messengers that were never used presumed artefacts it carved from pagefile.sys?

Why does Belkasoft Evidence Center only categorize as originated by Chrome some pictures and url's but not any text?

The reworded questions seem very similar, but they are not.

Read more (only seemingly unrelated) about carving and different results with different tools:

https://www.forensicfocus.com/forums/forensic-software/recommendations-for-carving-software/

jaclaz

 
Posted : 11/10/2020 12:15 pm
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 
Posted by: @jaclaz
Posted by: @confusedyoungman

Do you have any idea why Belkasoft Evidence Center is showing artefacts from browsers/instant messengers I've never used or had on my PC at all? Also from the chrome browser the only artefacts seem to be pictures and urls is that normal? 

You are a Law student, aren't you?

Your questions should be (I am picky):

Why does Belkasoft Evidence Center attribute to browsers/instant messengers that were never used presumed artefacts it carved from pagefile.sys?

Why does Belkasoft Evidence Center only categorize as originated by Chrome some pictures and url's but not any text?

The reworded questions seem very similar, but they are not.

Read more (only seemingly unrelated) about carving and different results with different tools:

https://www.forensicfocus.com/forums/forensic-software/recommendations-for-carving-software/

jaclaz

Haha those are much more academically pointed questions you are correct. I'll read the links in the thread provided thank you. And see if I have the intellectual capacity to answer the new questions.

One completely unrelated question that I'd like confirmed or rubbished and I'll stop bother you. I read that your IP address often changes and that ISP's only retain records for 90 days, does that mean that if you had an IP address for an email address that it would be useless for tracking unless they logged in with a new IP?

This post was modified 3 years ago by confusedyoungman
 
Posted : 11/10/2020 12:31 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @confusedyoungman
One completely unrelated question that I'd like confirmed or rubbished and I'll stop bother you. I read that your IP address often changes and that ISP's only retain records for 90 days, does that mean that if you had an IP address for an email address that it would be useless for tracking unless they logged in with a new IP?

It depends on ISP, country, contract, type of connection, etc.

In EU most IP's are static AFAIK, while in the USA they are (for home connections) more commonly dynamic,  but neither are to be taken as given, some connection do have dynamic IP's but they are only renewed on disconnection (which nowadays often means only when resetting your router).

Same goes for traffic data retention, what is stored and for how long may depend on the country Laws but also on the specific ISP's policies. 

jaclaz

 
Posted : 11/10/2020 2:19 pm
(@confusedyoungman)
Posts: 22
Eminent Member
Topic starter
 
Posted by: @jaclaz

 

I've come to terms with not having the technical knowledge to understand why the Belkasoft Evidence Center isn't returning any text artefacts lol.

To summarise what I've learnt in four points.

1) The Pagefile.sys is space on the hard drive used to increase memory space in the event that more memory is needed that the RAM can provide. Fragments of pages moved to pagefile to stop the system crashing.

2) It wont contain full files or copies of webpages but rather artefacts that show access to a file or webpage or evidence it has been viewed. So you wouldn't be able to read a chat/forum post from a browser but would be able to see they visited the site, had the site ip address. 

3)The larger the RAM the less likely the pagefile is used but the longer artefacts will remain in pagefile before being overwritten due to this lessened usage. It is unlikely artefacts would last years due either 1. not being present at all due to large RAM or 2. Smaller RAM so more consistent overwriting.

4) There is no expected timeline on how long it would take the pagefile.sys to fully overwrite because it does so in different pieces and not in order. Malfunctions in the browser can cause the pagefile to fill at any time adding a variable that makes estimated timing improbable. (Actually one more question here if the browser behaved normally and with 2GB RAM and the same usage as discussed above i.e 2-4 hours a day browsing would you guess that artefacts written to the pagefile.sys in jan 2010 would be present in jan 2011)

Would you say that those four points are broadly correct?

This post was modified 3 years ago 4 times by confusedyoungman
 
Posted : 12/10/2020 1:40 am
Page 3 / 5
Share: