I have a case where I have found significant information in the pagefile.sys.
What I am finding are many internet addresses that are of interest to me. My question is what kind on inferences could be made about WHEN the data in the page file was put there.
The registry key for cleaning the pagefile on shutdown was not on.
Does the pagefile ever get wiped or can data in the pagefile be from lets say 6 months ago?
Yep.
???
Does the pagefile ever get wiped or can data in the pagefile be from lets say 6 months ago?
If the system has a lot of RAM it is likely that the pagefile is only used infrequently. Thus data could be quite old unless some utility has been run to clean the file.
Data could persist within the pagefile.sys file based upon any number of variables, including; RAM, system usage, system load, etc.
Cheers!
farmerdude
If you want to focus on the page file, you can carve index records from it with HistEx, which is included with NetAnalysis. The index records will provide a date of last visit, which will provide a time reference. You also may try to carve html files directly from the page file. Use a byte level approach.
I think Jimmy's suggestion is a good one. NetAnalysis is a good product, something you should consider in your forensic 'kit bag'. Otherwise if you have the latest version of EnCase you can run a comprehensive internet search over the pagefile which may provide you with the information you need.
Am I right in thinking that the page file does not get overwritten, but it gets moved when the computer is booted up?
I was under the impression that it got moved to the outer most concurrent space on the disk?