±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35765
New Yesterday: 3 Visitors: 146

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Text found in pagefile.sys

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 
  

chrisvaughanuk
Member
 

Re: Text found in pagefile.sys

Post Posted: Jun 06, 08 12:23

Hi all,

My colleague has done a little work on the pagefile.sys which may be useful. It's a good blog; I've found the post regarding Hotmail ReadMessageLight particularly useful. Take a look at forensicsfromthesausag...gspot.com/

Chris.  

Last edited by chrisvaughanuk on Jun 06, 08 21:33; edited 1 time in total
 
  

gmarshall139
Senior Member
 

Re: Text found in pagefile.sys

Post Posted: Jun 06, 08 17:30

I agree with everyone concerning the difficulty in establishing what someone 'viewed'. One thing to consider though if this is indeed an email attachment; it would be encoded base64 and not in plain text. Unless it were opened it would not appear as plain text in the pagefile. What process opened it? As a previous poster mentioned it is possible that an anti-virus program opened it in the process of scanning it.
_________________
Greg Marshall, EnCE 
 
  

busby
Newbie
 

Re: Text found in pagefile.sys

Post Posted: Jun 06, 08 18:46

- mark777
A couple of other questions need to be asked here:

Did the suspect machine have more than one profile.

If so any of the users could be responsible for the text fragments surely.

Is the suspects profile passworded.

If not anyone could access the computer and view the file (If indeed it was viewed before anyone says anything). Realistically even if it was passworded anybody else coud get into it. We all know how easy that is.

As any defence lawyer would say "The only time a computer examiner could say a particular user opened and viewed a file is if he was stood behind him/her watching when the deed was done"



There was only one profile, not passworded, but only two people, both joint suspects had access to the computer. It isn't really, on these facts, a case of the suspect(s) claiming that someone else might have opened such an attachment. Rather, they claim that the document was not created on their machine, and if it did somehow get on to the computer, it happened without their knowledge, and had not in any event been viewed. I think the "email attachment theory" is just that:- a theory or potential explanation.  
 
  

goldenrichard
Newbie
 

Re: Text found in pagefile.sys

Post Posted: Jun 13, 08 03:10

One thing to keep in mind is that the presence of data in the page file under Windows does not necessarily mean that the data was ever swapped out. If the page file is disabled and then re-enabled or the size is increased, deleted data present in the area reserved by the swap file isn't cleaned.

To illustrate: On a laptop I own w/ 4GB RAM, I had swapping disabled for several months. Then I needed to do some VMWare stuff, so I re-enabled swapping (always required by VMWare, but that's another long story) and selected a fixed swap file size. After a few days, I used Scalpel to perform file carving against the Windows swap file (while dual booted under Linux) and recovered a large deleted PDF file (and other data) that was "jailed" by the creation of the swap file. This file was deleted months earlier, before swapping was re-enabled.

So while it would be very useful to be able to say that presence of data in the swap file at least indicates access, in at least some circumstances all it means is that the data was somewhere on disk in the past (barring malicious tampering with the swap file, which is of course also possible).

Best,

--Golden  
 

Page 3 of 3
Page Previous  1, 2, 3