#1 OK.
#2 yes and no. It may contain "random" 4 KB chunks of data (memory pages) coming from RAM. (whether they are "artefacts" that may be linked to this or that program running and/or to this or that website, chat or *whatever* is another thing and this hypothetical attribution may be in the eyes of the beholder).
#3 OK
#4 OK
Answer to side question #4: It depends. Likely no, maybe yes.
I know how the above answer is not definitive, but that is how a lot of things go when you are dealing with "random" fragments copied by unknown reasons when unknown conditions are met by means of a mechanism which is highly susceptible to numberless variables.
In these cases it is the other way round, if it is there, it is there, and if it isn't there it isn't there.
Then, the question moves to "is it possible that it is there" or "is it possible that it isn't there" because of the "normal"[1] usage and behaviour of the OS.
jaclaz
[1] and "normal" is not fully defined.
Probable not but maybe so is a good summation of most of my questions lol. Glad to know I'm good on 3/4
It you expand on point two a bit or perhaps dumbing down for me is needed. Are you saying not only so they not contain readable posts as I came in assuming but that the random 4KB may not even be able to be linked to a file/site/chat/whatever?
It you expand on point two a bit or perhaps dumbing down for me is needed. Are you saying not only so they not contain readable posts as I came in assuming but that the random 4KB may not even be able to be linked to a file/site/chat/whatever?
Yep, you have a number of 4KB pages that may (or may not) be part of a contiguous "set" of pages and/or that may (or may not) provide means to "connect" to a following page and that may (or may not) be linked (for sure) to this or that program (or website or *whatever*).
As long as a "post" does fit in 4 KB (it does, rest assured) there is no reason why it cannot be found (IF it is there), and - still if it is there - it may well be plainly readable. (maybe better said, if it is there it can be found only if it is readable, as if it is not readable it will be confused among "binary noise").
Go back and do read the suggested article:
http://www.bluekaizen.org/virtual-memory-basics-why-look-at-pagefile-sys/
it is clearly written and has nice images, I don't think it is too difficult to follow.
jaclaz
Yep, you have a number of 4KB pages that may (or may not) be part of a contiguous "set" of pages and/or that may (or may not) provide means to "connect" to a following page and that may (or may not) be linked (for sure) to this or that program (or website or *whatever*).
As long as a "post" does fit in 4 KB (it does, rest assured) there is no reason why it cannot be found (IF it is there), and - still if it is there - it may well be plainly readable. (maybe better said, if it is there it can be found only if it is readable, as if it is not readable it will be confused among "binary noise").
Go back and do read the suggested article:
http://www.bluekaizen.org/virtual-memory-basics-why-look-at-pagefile-sys/it is clearly written and has nice images, I don't think it is too difficult to follow.
jaclaz
'The protected mode architecture keeps track of the status of each page and knows if a page is “dirty,” meaning that it has been modified since being loaded into RAM.'
The only thing here I need clarification on is this, what exactly is meant by modified?
'The protected mode architecture keeps track of the status of each page and knows if a page is “dirty,” meaning that it has been modified since being loaded into RAM.'
The only thing here I need clarification on is this, what exactly is meant by modified?
The page is loaded from hard disk into (say) page #12345 of RAM.
Then it is read (for whatever reasons it needs to be read) but it may also need to be written to (modified), if it is modified a "dirty" flag is set.
At a certain point contents of page #12345 of RAM are not needed any more (as they have already been "used" for the whatever use it as needed by the program).
Then, actual page #12345 (the area in RAM) is needed (to write to it new data)
There are two possibilities:
1) the page has only been read
2) the page has been read AND written to (modified)
In case #1 it would make no sense to copy it back to hard disk, in case #2 it may actually be needed (not necessarily as it could be discarded anyway, but that depends on the actual program running).
The dirty flag (actually its absence) allows the computer to re-use a page without needing to "ask to the program" if changes are to be committed to hard disk.
You can think of this "flag" as a sign posted on a box in a storage space with "do not throw away, ask the janitor first".
jaclaz
The page is loaded from hard disk into (say) page #12345 of RAM.
Then it is read (for whatever reasons it needs to be read) but it may also need to be written to (modified), if it is modified a "dirty" flag is set.
At a certain point contents of page #12345 of RAM are not needed any more (as they have already been "used" for the whatever use it as needed by the program).
Then, actual page #12345 (the area in RAM) is needed (to write to it new data)
There are two possibilities:
1) the page has only been read
2) the page has been read AND written to (modified)In case #1 it would make no sense to copy it back to hard disk, in case #2 it may actually be needed (not necessarily as it could be discarded anyway, but that depends on the actual program running).
The dirty flag (actually its absence) allows the computer to re-use a page without needing to "ask to the program" if changes are to be committed to hard disk.
jaclaz
I had misread the article and thought that only pages that had been modified went to the Hard drive (didn't see the word back), that'll teach me to read anything more complicated than game of thrones late at night.
What is meant by modified? I understand that this is probably a painfully simple question. Is it just like something or anything on the page is changed?
You are a Law student, aren't you?
Your questions should be (I am picky):
Why does Belkasoft Evidence Center only categorize as originated by Chrome some pictures and url's but not any text?
jaclaz
So I've done more research on the Belkasoft Evidence Center in regards to text and this is want I've come up with. It is quite hard to identify text in a byte stream, and even harder to determine the application created the text, even when the text is indeed stored in memory. It is only available when the application has a singular signature and a well-known structure of data stored in memory. It is seldom the case so even if the text exists it would be difficult to be identified for what it is. Would you say that's a correct summation.
Yep, and this applies not only to plain text, but also to other (recognizable) "snippets".
There are different levels of "certainty", i.e. if something is found, it is found (i.e. it certainly exists), then "patterns" in the memory structures (around the found "snippet") may (or may not) allow to attribute it to the running of this (or that) program with a certain level of confidence.
The same thing may apply - even more generally - to whole files (on disk) sporting a "common" format, not only plain text, i.e. you find the file but you cannot be sure which program was used to access/create/modify it.
jaclaz
Yep, and this applies not only to plain text, but also to other (recognizable) "snippets".
There are different levels of "certainty", i.e. if something is found, it is found (i.e. it certainly exists), then "patterns" in the memory structures (around the found "snippet") may (or may not) allow to attribute it to the running of this (or that) program with a certain level of confidence.
The same thing may apply - even more generally - to whole files (on disk) sporting a "common" format, not only plain text, i.e. you find the file but you cannot be sure which program was used to access/create/modify it.
jaclaz
Is the the Belkasoft Evidence Center the nest software for analysing the pagefile,sys?
Also a tangent that entered my head. Is a pagefile.sys used the same with servers? Like with a chatroom server that is used 24/7 is there so much information going through it that nothing would last long before being overwritten.
No idea about Belkasoft being best or if there are other (better) software.
About servers I would hope that they are dimensioned (and their software configured) in such a way that use of the pagefile is at a minimum.
But it doesn't change the result, both if the pagefile is not used or if it is used a lot, chances of finding the specific info you are looking for are very low, it becomes a sort of birthday paradox in the "same birthday as you" special case:
https://en.wikipedia.org/wiki/Birthday_problem#Same_birthday_as_you
jaclaz
