Join Us!

Windows Vista Pagef...
 
Notifications
Clear all

Windows Vista Pagefile.sys information  

Page 1 / 2
  RSS
ptyo
 ptyo
(@ptyo)
New Member

I need to know how Window Vista Home Premium's 64/bit Pagefile.sys is handled on startup and shutdown for a CP case I am working on. I would appreciate it if anyone has a good resource I can view to answer my questions so if I have to testify in court I am knowledgeable about how the Pagefile.sys is used in vista..

Thanks,

Pete

Quote
Posted : 01/05/2013 7:44 pm
ntexaminer
(@ntexaminer)
Junior Member

Is there something in particular you're interested in? This MS KB article covers clearing the page file at shutdown using the ClearPageFileAtShutdown registry value.

ReplyQuote
Posted : 01/05/2013 8:43 pm
ptyo
 ptyo
(@ptyo)
New Member

I checked the registry value that the KB article refers and the system i'm investigating is not setup to delete the pagefile.sys on shutdown. So need to find out when the pagefile.sys is created so to speak.

Thanks,

pete

ReplyQuote
Posted : 01/05/2013 8:57 pm
ptyo
 ptyo
(@ptyo)
New Member

Some more information. I know the Operating System was installed back in 2008. Encase is telling me the Pagefile.sys was created late 2012 Im just trying to figure out why the pagefile was destroyed then recreated in 2012 in case I'm asked in court.

ReplyQuote
Posted : 01/05/2013 9:01 pm
keydet89
(@keydet89)
Community Legend

Have you tried creating a timeline of system activity? Timelines provide context and granularity…there may be a very good reason for what you're seeing.

Your assumptions here may be in asking how the OS "deals" with the pagefile, as well as that the pagefile was "destroyed" and then recreated at some point in 2012. This may not be the case at all. For example, the pagefile size may have been adjusted
http//wiki.pcworld.com/index.php/Increasing_Page_File_Size_-_Windows_XP_and_Windows_Vista

I'd be sure to include Windows Event Logs, etc., in timeline.

ReplyQuote
Posted : 01/05/2013 9:14 pm
ntexaminer
(@ntexaminer)
Junior Member

Some more information. I know the Operating System was installed back in 2008. Encase is telling me the Pagefile.sys was created late 2012 Im just trying to figure out why the pagefile was destroyed then recreated in 2012 in case I'm asked in court.

What are you basing the OS install date on? Could the OS have been upgraded (e.g. Home Premium to Ultimate)? This may cause the pagefile to be recreated. If that were the case, you could see if the InstallDate registry value data is around the same time as the creation date of the pagefile.

ReplyQuote
Posted : 01/05/2013 10:13 pm
twjolson
(@twjolson)
Active Member

I guess the question I have is what are you trying to prove?

I assume that you found contraband images within the pagefile, how it was created really doesn't matter in that case. I think the more important point would be how the pagefile works, as that speaks to how the data got there.

My point is this, even if you ran some tests, and found out how the pagefile is created (more exactly, how the create timestamp was updated), can you honestly say those are the only ways? Unless you did the coding, you couldn't.

My two cents.

ReplyQuote
Posted : 01/05/2013 10:27 pm
ptyo
 ptyo
(@ptyo)
New Member

I assume that you found contraband images within the pagefile, how it was created really doesn't matter in that case. I think the more important point would be how the pagefile works, as that speaks to how the data got there.

Yes I found thousands of contraband images in the pagefile.sys. So anybody have any advice on how I can explain to the DA or a Jury in terms they would understand on how the Pagefile.sys works?

Also I'm under the impression since I don't have a live capture of the actual physicall RAM there is no way for me to back trace where a picture came from like what website etc….

Thanks,

Pete

ReplyQuote
Posted : 10/05/2013 9:47 pm
BitHead
(@bithead)
Community Legend

So anybody have any advice on how I can explain to the DA or a Jury in terms they would understand on how the Pagefile.sys works?

Since Windows 95, Windows-based operating systems have used a special file that acts as a sort of "scratch pad" to store modified pages that are still in use by some process. Page file space is reserved when the pages are initially committed, however the page file locations are not chosen until the page is written to disk. So, in simplistic terms, the page file is used by Windows to hold temporary data which is swapped in and out of physical memory in order to provide a larger virtual memory set.
Technet

The page file, also known as the swap file, pagefile, or paging file, is a file on your hard drive Windows uses to store data that can’t be held by your computer’s random-access memory when it fills up.

Your computer stores files, programs, and other data you’re using in your RAM (random access memory) because it’s much faster to read from RAM than it is to read from a hard drive. For example, when you open Firefox, Firefox’s program files are read from your hard drive and placed into your RAM. The computer uses the copies in RAM rather than repeatedly reading the same files from your hard drive.

Programs store the data they’re working with here. When you view a web page, the web page is downloaded and stored in your RAM. When you watch a YouTube video, the video is held in your RAM.

When your RAM becomes full, Windows moves some of the data from your RAM back to your hard drive, placing it in the page file. This file is a form of virtual memory. While writing this data to your hard disk and reading it back later is much slower than using RAM, it’s back-up memory – rather than throwing potentially important data away or having programs crash, the data is stored on your hard drive.

Windows will try to move data you aren’t using to the page file. For example, if you’ve had a program minimized for a long time and it isn’t doing anything, its data may be moved to RAM. If you maximize the program later and notice that it takes a while to come back instead of instantly snapping to life, it’s being swapped back in from your page file. You’ll see your computer’s hard disk light blinking as this happens.
How-To-Geek

ReplyQuote
Posted : 11/05/2013 1:45 am
TuckerHST
(@tuckerhst)
Active Member

I found thousands of contraband images in the pagefile.sys. So anybody have any advice on how I can explain to the DA or a Jury in terms they would understand on how the Pagefile.sys works?

Pete, just curious was this the only evidence of contraband images? Or is it merely supporting other more conclusive evidence within the file system? The reason I ask is that, lacking date/time metadata, it might be awfully difficult to place the suspect "behind the keyboard" beyond a reasonable doubt. If you already have strong evidence for specific files, then you might downplay the Pagefile.sys evidence or omit it entirely, because it might actually create more questions than it resolves, and the jury (or Judge) may become fixated on that.

It would be awesome to get an epilog so we know how things turned out.

ReplyQuote
Posted : 11/05/2013 3:50 am
ptyo
 ptyo
(@ptyo)
New Member

TuckerHST no this is not the only evidence of contraband images. Let me give you a little bit of history on what I'm working on with out going into to many details. We conducted a compliance check on our s*x offenders. This one was found to have what appeared to be child pornography. He was charged and arrested. I have him recorded talking to other persons admitting what he was doing and numerous times saying he was guilty of looking at these sites.

I'm new to the forensic world so to speak. Here is what I have found the only evidence I gave to the DA was the pagefile.sys carved images, since I thought it would be easier for the Jury or DA to understand that since the data was in the page file.sys someone was actively viewing Lolita type sites. The phone conversations I hope will put the suspect in front of the computer since he admitted surfing those sites.

I found images in the unallocated space as well. I am under the impression since its in the unallocated space there is no meta data that would contain the date / time viewed etc… I was able to use IEF (internet Evidence finder) and it revealed that IE private browsing was used to surf tons of pornographic websites. The only thing about this that struck me as odd is in the unallocated pictures the only ones I seen were from firefox cache not internet explorer unless I just overlooked them. IEF parsed queries shows searches for all kinds of things sexually related. It also found two .flv files of online adult camera footage not of children.

I got to say however some of the searches did give dates which still confuses me. The dates according to IEF were in 2009 and the location was the page file.sys that according to Encase was created in 2012 so im a little confused about that. Hence why i'm trying to find as much information as possible on the page file.sys. My hope is that if the person doesn't take a plea deal that if this goes to trial his multiple admissions of guilt, him already being a s*x offender with child molestation charges, and the pictures from the pagefile.sys are worth a million words I think.

I will be more than happy to try and keep you all posted as this case moves forward. With that being said like most other departments due to budget constraints I can't go to any type of forensic classes so I'm learning on my own. This website has been a tremendous help to me. Well I hope that kind of sums up everything for you. If you got suggestions or advice send it my way I need all the help I can get.

Thanks,

Pete

ReplyQuote
Posted : 12/05/2013 8:53 pm
TuckerHST
(@tuckerhst)
Active Member

Pete, given that this is a compliance issue of a previously convicted s*x offender, the phone conversations will probably be enough to get a plea deal. If it was a new case, I would be concerned that data carved from pagefile.sys might not be sufficient, lacking temporal data.

If there is evidence of software like CCleaner being installed, you might also want to assert that the computer was likely wiped (otherwise, why no deleted contraband files, or other relevant evidence in unallocated space?). Also, you might want to check this thread http//www.forensicfocus.com/Forums/viewtopic/t=10560/ which may strengthen your argument that contraband was downloaded and viewed, even though the original files are no longer available in the file system.

Actually, reviewing MRU lists and LNK files would come before the $LogFile and $UsnJrnl, but you've probably already done that.

Thanks for sharing this case with us.

ReplyQuote
Posted : 14/05/2013 12:12 am
jaclaz
(@jaclaz)
Community Legend

If there is evidence of software like CCleaner being installed, you might also want to assert that the computer was likely wiped (otherwise, why no deleted contraband files, or other relevant evidence in unallocated space?).

Or, more simply, correctly maintained
http//www.forensicfocus.com/Forums/viewtopic/t=5410/

Please also remember - generally speaking - that you have to place the suspect before the keyboard and screen, see
http//www.forensicfocus.com/Forums/viewtopic/t=9275
http//www.forensicfocus.com/Forums/viewtopic/p=6559899/#6559899

jaclaz

ReplyQuote
Posted : 14/05/2013 1:45 am
ptyo
 ptyo
(@ptyo)
New Member

Update. Trial is coming up and I'm doing more work on this case again. The individual was indicted on 20 counts of Sexual Exploitation of children. So my issue. Just went through my first actual forensics class a few weeks back. Got with the DA reprocessed to see if I could get more supporting evidence for the charges.

So what are my concerns. First, I have never actually had to testify on the stand, since most stuff is just probation violations they settle. So yes I am a little nervous I don't want to mess this up. I could use all the help I can get to prepare me for court. So here are the tools I have available to use Encase 6 and 7, FTK 4 and 5 and I also have a trial of IEF 6. IEF6 found tons of pornographic websites with titles Lolita's, Illegal Child Porn etc… I have numerous volume shadow copies with the pagefile.sys and registry keys etc…. I exported a few of the pagefile.sys and ran IEF 6 on them and low and behold porn everywhere. Yet no cookies, index.dat, .lnk files etc…

So based on the pagefile.sys can I show, "Constructive Possession?" Which in my case is defined," Constructive possession of contraband exists where a person, though not in actual possession, knowingly has both the power and the intention at a given time to exercise dominion or control over a thing." also, "Both Knowledge and possession may be proved, like any other fact, by circumstantial evidence."

The computer evidence isn't the only thing we have to prosecute on we have audio too with a wealth of information as well. As if that all isn't confusing enough I will be sitting down with the ADA in a couple weeks to prep for trial. What kind of questions should I have her ask that supports our case? I have about a week to get a supplemental report to her. Any advice suggestions would greatly be appreciated. Please bear with me I am very new to forensics and have a real generic grasp on everything. Something that may be obvious to a seasoned examiner may not be obvious to me. I did try to find information in intelliforms but once I cracked the users password in PRTK then pasted the ntuser.dat file in it said no passwords found. There is no typedurl's or search strings either.

ReplyQuote
Posted : 06/09/2013 8:17 pm
Bulldawg
(@bulldawg)
Active Member

I'm going to let those who are more experienced with criminal matters give advice on testifying, but I do see a few questions you should know the answer to before heading to trial

1) Does all your evidence come from pagefile.sys files? If that's all you have, then this might be ripe for a malware defense. It sounds like you don't have anything that places the suspect behind the keyboard while these artifacts were placed on the computer. Not that this person didn't do it, but that's one way the defense attorney could explain away the images in pagefile.sys. Be prepared for this. Look for malware that could have done this so you can say you looked and found none. This probably requires more than a virus scan of the image. If it's possible malware could still be there, load the image up in a VM and see what happens with wireshark.

2) Maybe don't mention the trial version of IEF anywhere. A defense attorney might jump on that and make a big deal of it. IEF does a good job of pointing out where, exactly, the data was found in the file you fed it. Take that information and go back to EnCase or FTK and verify what IEF is telling you. Put that in the report, not the IEF information. Don't lie about it, just don't volunteer information that could be used to impeach your credibility.

3) The constructive posession question is best answered by an attorney. The defense could argue malware did it. See #1.

4) Has the defense hired a digital forensics expert? If so, what is he expected to say at trial? You can prepare the DA for cross examination by providing him questions for the defense expert.

5) Did you check for artifacts from other browsers? The artifacts you mentioned are all from IE. What about a portable browser on a thumb drive or TrueCrypt volume? You'll have a lot stronger case from the digital evidence if you can find something like browser history that places a person behind the keyboard.

6) Did you feed IEF the entire image file, or just the pagefile.sys? IEF is pretty good at extracting results from unallocated space. If IEF found nothing else, I'd spend some time figuring out exactly how these pictures made it into the pagefile. You're going to have to explain why there are no browser artifacts to accompany the pictures in the pagefile.

ReplyQuote
Posted : 06/09/2013 9:41 pm
Page 1 / 2
Share: