Jonathan is right. I do *not* think that's pedantic.
There is massive difference between viewing and opening.
In fact, even if anything was on the screen, did the user see it?
how long was it on the screen?
You know what happens, if you ever seclected a few files and pressed enter? Lots of windows pop up and display- some don't even render the contents because the next one comes up so fast. And then the Alt-F4 fest begins.
Also the print example is good too.
Of course there are degrees of certainty. Timeline analysis is good, emails genere read reciepts, there are NTFS traces in the MFT (objid's) shell bags, mru's timestamps.
If something is in the pagefile, then you'll have to do more work.
There are tools that re-build memory spaces.
Perhaps the attachment was scanned by the suspects virus checker. The text also might have been in unallocated space when the page file was created. But since I assume since the suspect admits to possession of the email with the attachment that you have reason to believe that this was not the case.
The metadata which describes the contents of the page file(s) is in main computer memory, which presumably you have thrown away. This limits your ability to make reliable inferences based upon page file contents.
Thanks for all the replies folks, and sorry it's taken me a while to respond.
The fragment of text would, if contained in a document, certainly not amount to more than a single page, so it's not as if the suspect could claim he only read part of the document.
As I understand it, he is positively claiming that he has never seen/opened/been aware of any such document, and suggests that it must have found its way into the paging file by some other mechanism.
As far as other locations are concerned MRUs, registry entries, etc, this text doesn't appear anywhere else. On the other hand, there don't appear to be any emails, with or without attachments, on the suspects hard drive which contain the text.
A couple of other questions need to be asked here
Did the suspect machine have more than one profile.
If so any of the users could be responsible for the text fragments surely.
Is the suspects profile passworded.
If not anyone could access the computer and view the file (If indeed it was viewed before anyone says anything). Realistically even if it was passworded anybody else coud get into it. We all know how easy that is.
As any defence lawyer would say "The only time a computer examiner could say a particular user opened and viewed a file is if he was stood behind him/her watching when the deed was done"
Hi all,
My colleague has done a little work on the pagefile.sys which may be useful. It's a good blog; I've found the post regarding Hotmail ReadMessageLight particularly useful. Take a look at http//forensicsfromthesausagefactory.blogspot.com/
Chris.
I agree with everyone concerning the difficulty in establishing what someone 'viewed'. One thing to consider though if this is indeed an email attachment; it would be encoded base64 and not in plain text. Unless it were opened it would not appear as plain text in the pagefile. What process opened it? As a previous poster mentioned it is possible that an anti-virus program opened it in the process of scanning it.
A couple of other questions need to be asked here
Did the suspect machine have more than one profile.
If so any of the users could be responsible for the text fragments surely.
Is the suspects profile passworded.
If not anyone could access the computer and view the file (If indeed it was viewed before anyone says anything). Realistically even if it was passworded anybody else coud get into it. We all know how easy that is.
As any defence lawyer would say "The only time a computer examiner could say a particular user opened and viewed a file is if he was stood behind him/her watching when the deed was done"
There was only one profile, not passworded, but only two people, both joint suspects had access to the computer. It isn't really, on these facts, a case of the suspect(s) claiming that someone else might have opened such an attachment. Rather, they claim that the document was not created on their machine, and if it did somehow get on to the computer, it happened without their knowledge, and had not in any event been viewed. I think the "email attachment theory" is just that- a theory or potential explanation.
One thing to keep in mind is that the presence of data in the page file under Windows does not necessarily mean that the data was ever swapped out. If the page file is disabled and then re-enabled or the size is increased, deleted data present in the area reserved by the swap file isn't cleaned.
To illustrate On a laptop I own w/ 4GB RAM, I had swapping disabled for several months. Then I needed to do some VMWare stuff, so I re-enabled swapping (always required by VMWare, but that's another long story) and selected a fixed swap file size. After a few days, I used Scalpel to perform file carving against the Windows swap file (while dual booted under Linux) and recovered a large deleted PDF file (and other data) that was "jailed" by the creation of the swap file. This file was deleted months earlier, before swapping was re-enabled.
So while it would be very useful to be able to say that presence of data in the swap file at least indicates access, in at least some circumstances all it means is that the data was somewhere on disk in the past (barring malicious tampering with the swap file, which is of course also possible).
Best,
–Golden