Text found in pagef...
 
Notifications
Clear all

Text found in pagefile.sys

18 Posts
10 Users
0 Likes
1,121 Views
(@busby)
Posts: 6
Active Member
Topic starter
 

Here's the scenario
Suspect's machine running XP Pro and using Outlook Express with preview pane option on.

FTK has pulled out some significant text from pagefile.sys. Suspect says he has never seen it, but it may have been contained in an email attachment which he received but has never opened/viewed.

Does the presence of that text in the pagefile prove that the text has been viewed, or the attachment opened, or could it have resulted from the attachment having been loaded into the ..\Local Settings\Temp directory of the active user account as he scrolled through his emails?

Any suggestions gratefully received!

 
Posted : 21/05/2008 5:38 pm
(@jonathan)
Posts: 878
Prominent Member
 

In general, it's difficult to say authoritatively that anything has been viewed on a computer. You can show that a file has been accessed by a user or by the default behaviour of a process or application, but not that it was actually viewed/seen by someone. Furthermore, if you, for example, received an email with a 10 page Word attachment – it could be shown that this Word document had been saved at a certain location by a particualr user but it couldn't be shown that he'd scrolled down and seen page 8 of the document, which may contain a diagram or whatever which is crucial to the case.

I think in your situation, if there are no other pointers near your artefact in the pagefile or even elsewhere on the system then all you can credibly say about it is that, at some time, it was present on your suspect's hard drive.

 
Posted : 21/05/2008 8:38 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Does the presence of that text in the pagefile prove that the text has been viewed, or the attachment opened, or could it have resulted from the attachment having been loaded into the ..\Local Settings\Temp directory of the active user account as he scrolled through his emails?

No. But Registry analysis might. I've used Registry analysis several times to locate indications of user's actually viewing documents.

 
Posted : 21/05/2008 9:52 pm
(@jonathan)
Posts: 878
Prominent Member
 

Does the presence of that text in the pagefile prove that the text has been viewed, or the attachment opened, or could it have resulted from the attachment having been loaded into the ..\Local Settings\Temp directory of the active user account as he scrolled through his emails?

No. But Registry analysis might. I've used Registry analysis several times to locate indications of user's actually viewing documents.

How can the registry show that a user actually viewed something as opposed to just opening it? In the OP's scenario he mentions finding a fragment of text in the pagefile and no associated meta-data…how would registry analysis help here to show that a user had seen the fragment of text in question? I'd be interested in finding out.

 
Posted : 21/05/2008 10:46 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

How can the registry show that a user actually viewed something as opposed to just opening it? In the OP's scenario he mentions finding a fragment of text in the pagefile and no associated meta-data…how would registry analysis help here to show that a user had seen the fragment of text in question? I'd be interested in finding out.

Take the sample text from the pagefile and do a search of the hard drive. If the sample appears in a document on the hard drive, use a tool like RegRipper to determine if the document was viewed by a particular user. If the text appears in a cached web page…well…

HTH

 
Posted : 22/05/2008 12:30 am
(@jonathan)
Posts: 878
Prominent Member
 

Take the sample text from the pagefile and do a search of the hard drive. If the sample appears in a document on the hard drive, use a tool like RegRipper to determine if the document was viewed by a particular user. If the text appears in a cached web page…well…

HTH

Sure, but I presume that the OP found it in pagefile only via the FTK text search function and they found it only there otherwise they would have mentioned it? Perhaps they can provide more details.

By the way, you don't seem to differentiate between 'viewing' something and 'opening' or accessing it. Any reason for that? I think the terminology used to describe a user's actions is pretty important.

 
Posted : 22/05/2008 1:22 am
(@chrisvaughanuk)
Posts: 5
Active Member
 

Agreed. The registry artefacts that were mentioned must surely only show access rather than viewing. It's pedantic but you have to be in this game!

 
Posted : 22/05/2008 2:18 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Sure, but I presume that the OP found it in pagefile only via the FTK text search function and they found it only there otherwise they would have mentioned it? Perhaps they can provide more details.

The OP didn't say one way or another. I offered to help.

By the way, you don't seem to differentiate between 'viewing' something and 'opening' or accessing it. Any reason for that? I think the terminology used to describe a user's actions is pretty important.

I don't see the distinction. Sorry.

 
Posted : 22/05/2008 4:23 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Agreed. The registry artefacts that were mentioned must surely only show access rather than viewing. It's pedantic but you have to be in this game!

How so? Since I never mentioned specific keys?

If the entry appears in a file MRU for Word, or any other GUI application, then it would stand to reason that the user opened the file in some manner and it appeared on the screen. If the access was a result of, say, a Search MRU entry, then I wouldn't suggest that would be an indication of viewing the file, no.

 
Posted : 22/05/2008 4:27 am
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

If I understand Jonathan's point correctly, he's saying that just because someone opened a 20 page document doesn't mean that they viewed the text on page 19 of the document.

If I select 10 Word documents in Explorer, select Print from the menu, and walk away from the system, all those files will open, print, and close and I didn't "view" any of them.

-David

 
Posted : 22/05/2008 4:59 am
Page 1 / 2
Share: