SecureArtisan

My Road to Digital Forensics Excellence

Archive for the ‘Memory’ Category

Pagefile and Physical Memory Gotcha’s

Posted by Paul Bobby on December 18, 2008

Noticed the following two items concerning the Pagefile and Physical Memory. I built a laptop with 32bit Vista on a hard drive that had not been wiped (in fact had been used as Vista previously for Encase testing).

1. When the pagefile is created during the installation of the OS, the file is not initialized in any way, nor is it a sparse file. The full file size is allocated, making use of contiguous space, however, as you may have guessed, the data in the pagefile is whatever was on the hard drive to begin with. This is gotcha #1

2. When a computer boots up, physical memory has to be initialized. The OS does not do this cleanly by, say, writing 0’s to all memory locations. Instead, all memory is initialized with the contents of the pagefile, and then the ram is taken up by running processes. This is gotcha #2.

Scenario:

1. Alice does something super-secret on a laptop running Vista.
2. Alice deletes the super-secret stuff from the hard drive (but not a wipe, just a n00b delete)
3. Bob rebuilds her laptop with vista and reassigns it to a new employee, Carol.
4. Carol does something that requires an ethics investigation
5. Gary connects to the laptop with Encase enterprise
    Captures physical RAM
    Acquires an image of the drive
6. Gary discovers super secret stuff in RAM
7. Gary discovers super secret stuff in the pagefile
8. Gary incorrectly assumes that Carol is responsible for the super secret stuff found on the computer.

Summary:
1. The Pagefile could contain whatever is on the hard drive until the OS has fully utilized the virtual memory
2. The physical RAM is initialized using the contents of the pagefile

Anyone confirm?

Advertisements

Posted in Memory | 2 Comments »

Calculating System RAM

Posted by Paul Bobby on November 4, 2008

How can one determine System RAM against a dead-box analysis?

The only registry hive that would make sense to me is HKLM, and then the Hardware subkey (with all its values).

The hardware key is only stored in volatile ram, not as a file on your
hard drive – it is populated with data from the boot process. So for a
dead-box analysis, you wont be able to get any information from this.

The only key I found that may be of use is

HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\System Resources

There are three keys under here: Loader Reserved, Physical Memory and Reserved, each one has a value of REG_RESOURCE_LIST.

That’s as much as I know, I’m going to have to google this stuff to figure out what the data in these arrays mean.

Read the last 4 bytes of the “HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\Syste m Resources\Physical Memory” key.

Mine is 0×00 0×00 0xF6 0×3E

Memory algorithm:

1. a = 0×3E (62) * 16,777,216
2. b = 0xF6 (246) * 65536
3. c = 0×00 * 256
4. d = 0×00
5. e = a+b+c+d+16,371,712
6. Memory = e / 1,048,576

For example, using the values from my registry.

a = 1040187392
b = 16121856
c = 0
d = 0
e = 1072680960

Memory = 1022.98828125 or ~1022Mb or ~1Gb

Posted in Memory | Leave a Comment »