SecureArtisan

My Road to Digital Forensics Excellence

Pagefile and Physical Memory Gotcha’s

Posted by Paul Bobby on December 18, 2008

Noticed the following two items concerning the Pagefile and Physical Memory. I built a laptop with 32bit Vista on a hard drive that had not been wiped (in fact had been used as Vista previously for Encase testing).

1. When the pagefile is created during the installation of the OS, the file is not initialized in any way, nor is it a sparse file. The full file size is allocated, making use of contiguous space, however, as you may have guessed, the data in the pagefile is whatever was on the hard drive to begin with. This is gotcha #1

2. When a computer boots up, physical memory has to be initialized. The OS does not do this cleanly by, say, writing 0’s to all memory locations. Instead, all memory is initialized with the contents of the pagefile, and then the ram is taken up by running processes. This is gotcha #2.

Scenario:

1. Alice does something super-secret on a laptop running Vista.
2. Alice deletes the super-secret stuff from the hard drive (but not a wipe, just a n00b delete)
3. Bob rebuilds her laptop with vista and reassigns it to a new employee, Carol.
4. Carol does something that requires an ethics investigation
5. Gary connects to the laptop with Encase enterprise
    Captures physical RAM
    Acquires an image of the drive
6. Gary discovers super secret stuff in RAM
7. Gary discovers super secret stuff in the pagefile
8. Gary incorrectly assumes that Carol is responsible for the super secret stuff found on the computer.

Summary:
1. The Pagefile could contain whatever is on the hard drive until the OS has fully utilized the virtual memory
2. The physical RAM is initialized using the contents of the pagefile

Anyone confirm?

Advertisements

2 Responses to “Pagefile and Physical Memory Gotcha’s”

  1. Andrew Medico said

    #2 does not really make sense:
    * There is no need to initialize the contents of RAM on boot. Memory allocated to a process does, however, need to be cleaned before that process reads from it (e.g. to prevent user A’s processes from seeing passwords left in memory by user B’s processes).
    * There may be no pagefile, or the page file may be smaller than the system’s RAM.

  2. Paul Bobby said

    I agree there is no real need – although at the electronic level, who knows what goes on. Based on memory acquisitions right after a a cold reboot, into a forensic CD, the memory that was acquired contained data from the previous Windows session.

    I had to conclude that that data came from the pagefile – or from elsewhere on the hard drive, there is no other way it got in the RAM because I was booted in to a Linux CD, and was powered off for 5 minutes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: