Recover data from p...
 
Notifications
Clear all

Recover data from pagefile.sys

10 Posts
5 Users
0 Likes
2,878 Views
(@forensicgl)
Posts: 9
Active Member
Topic starter
 

Hi to all the Forensic Focus community !

I have lost Thursday evening (overwritten cry ) some important data, and I'm trying in all ways to recover it.

I need to recover few file that are max 200 KB in size.

I was wondering if there is a chance to find this data on windows xp swap file pagefile.sys (pagefile is over 1300 MB in size)

I have Encase 4.20 and FtK 2.0 manual, but I can't find on it any reference to swap file recovery.

Can someone help me in some way ?

Thank You

 
Posted : 04/07/2009 2:11 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

It might help to know a bit more about what you're looking for…for example, Word documents maintain temp files with ".tmp" extensions, and you may be able to recover or carve from unallocated space. Also, sometimes files aren't "lost" as much as they're simply in a different directory, or as I've seen several times in Excel, you can fat finger a key sequence and 'hide' the visible data in a spreadsheet file.

 
Posted : 04/07/2009 5:01 pm
(@forensicgl)
Posts: 9
Active Member
Topic starter
 

It might help to know a bit more about what you're looking for…

Hi Keydet89,

The files do not belong to a common extension like word, excel, pdf or other.

They are proprietary binary file from an invoicing software.

Each file is very small in size (around 200KB or less) and I need to recover
2 o 4 of them.

Considering that the swap file is very big (over 1300 MB) and after the data loss I have practically not used the pc, there is any chance to find them in the pagefile.sys ?

Even a file that is one month old is more is ok

 
Posted : 04/07/2009 7:09 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Considering that the swap file is very big (over 1300 MB) and after the data loss I have practically not used the pc, there is any chance to find them in the pagefile.sys ?

Perhaps, but how you'd look for binary data amongst other binary data, I'm not sure.

The size of the pagefile should not be your sole reason for looking there. Again, I'd probably target unallocated space first, particularly if the file was written to disk at any point.

 
Posted : 04/07/2009 7:54 pm
(@seanmcl)
Posts: 700
Honorable Member
 

It is possible that you might find traces of one or more files but I would think it rather unlikely that you could recover an entire file for a couple of reasons.

It is possible that the user has set a local policy to clear the pagefile at shutdown. I see this employed, especially with laptops, as a means of incresasing security in the case of theft (though better to encrypt the whole drive and be done with it).

Look in your local policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

Also, remember that the usage of pagefile.sys will be determined by the size of physical memory in relation to the actual demand for memory during system operation. Big applications with little memory will use pagefile.sys frequently, overwriting existing contents. In these situations, pagefile.sys is a better indication of how the system had been used since the last startup rather than months ago.

Finally, remember that the pagefile contains only those parts of the application which the OS determines does not need to be in physical memory. Typically that is less than the total program size including any open data files. In addition, unless the program loads all of the data into virtual memory, and many programs don't, you are unlikely to find all of your program (or all of your data), in pagefile.sys.

 
Posted : 04/07/2009 8:09 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

"I have lost Thursday evening (overwritten Crying or Very sad ) some important data, and I'm trying in all ways to recover it."

Overwritten with in the program itself? What program is it? With a little more information there could be a better understanding of the program architecture. Many programs dump temp versions of files into cache directories or other areas of the drive. If you were able to find a current one of these files you could search unallocated space for remnants of similar files after you gain some insight to its structure in something like a hex editor.

 
Posted : 04/07/2009 9:24 pm
(@forensicgl)
Posts: 9
Active Member
Topic starter
 

I'd probably target unallocated space first, particularly if the file was written to disk at any point.

I think I have already done this with Ontrac Easy Recovery Pro using the raw recovery method, but with no luck

It is possible that the user has set a local policy to clear the pagefile at shutdown.

On this system there is no policy that force the deletion of this file at shutdown.

What program can I use to try to find something on the swap file ?

There is a commercial or opensource program that can do this ?

 
Posted : 04/07/2009 9:32 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What program can I use to try to find something on the swap file ?

A hex editor. Grep(). Perl.

There is a commercial or opensource program that can do this ?

See above.

Consider the nature of the pagefile…it's largely unstructured. You may not find a file, or even fragments of one, in this source.

 
Posted : 04/07/2009 10:21 pm
(@seanmcl)
Posts: 700
Honorable Member
 

I think that you may be misunderstanding what the swap file is. In Windows, applications (generally) cannot allocate physical memory, directly. Instead, they allocate virtual memory some of which gets mapped to physical memory and some of which is paged out to the swap file when the total amount of physical memory is less than what is needed for the OS and all the running applications.

What determines what part of the application space is resident in physical memory or swap space are a number of factors but, in general, those parts that are least used will be in swap whereas those most frequently used will be resident. Obviously, this changes with the number of applications running and the amount of physical memory installed.

The point being that unlike disk space, where a resident file has a starting sector which the first sector in a block and an ending block which also starts on the the first sector in a block, the blocks in swap space don't, necessarily, correspond to the starting or ending blocks of a file. The file being manipulated by the application may have its starting sector located in someplace other than the starting sector of the block and may not even be on a block or sector boundary.

You don't even know, without other corraborating evidence, whether two contiguous blocks in the swap space represent two contiguous blocks of the running application.

Moreover, since it is the running OS that determines the allocation of space in the swap file, once the system is shut down, there is no persistence of that data. If you are lucky enough that the system was not actually shut down but simply hibernated, you could, possibly, restore the system to the state prior to shutdown, but that still would be far less than what you would need to recreate a 200K file and that would presume that the file that you wanted to recover was opened at the time that the system hibernated.

What the swap file is most commonly used for is to determine, when possible, what processes were running at shutdown and to look for free text and other data that could contain such things as passwords. It is not an ideal place to attempt complete file recovery since its purpose is not to preserve file data, but rather, less well used application data.

 
Posted : 04/07/2009 11:42 pm
(@akaplan0qw9)
Posts: 69
Trusted Member
 

I'm assuming this is only a small part of a proprietary database that you were using, you must have some old copies in the form that is used. I would try to build one or more patterns searchers looking for various parts of the form. I would then use FTK 2.2 in a live search. You'll probably get inundated by hits, but it might give you at least a part of the file you're looking for. Failing that, I would do a number of live searches for the content of different data fields that you believe were in the overwritten form.

Another possibility is searching for the extension. I realize that you said that this was a unique extension. FtK 2.2 reports all extensions found in the evidence and then allows you to look at them in natural, hex, text and filtered. You might get lucky there as well.

Good luck!

 
Posted : 06/07/2009 9:42 am
Share: