An Intro to Pagefile Forensic
In this brief write-up, we will explore page files and how page file forensics can assist investigators in obtaining digital evidence from the operating system.
What is a Pagefile?
In Windows NT, when RAM becomes full, the operating system uses the hard drive as virtual RAM by placing data in a file called pagefile.sys. Although reading and writing data from the page file is slower than using actual RAM, it is still preferable to crashing the program. This process is based on paging, a memory management technique. If you want to learn more about paging, you can read further on the topic. here.
Investigating Pagefile to retrieve artifacts
As we know, the page file contains data used by the operating system. By making a copy of this file (or using other methods), we can extract valuable information that may assist an investigator in making informed decisions. For example, pagefile.sys can be as large as 7.9 GB, though its size depends on the space specified by the user.
I am going to use the strings command, which is built into many Linux distributions, along with grep and regular expressions (regex) to extract URLs, email addresses, and other relevant information.
So first I will extract all the URLs from this pagefile by typing “strings pagefile.sys | egrep “^https ?://” | less “
And I got all the URLs from this pagefile
There are more URLs available, but this example should suffice to illustrate how the process works
Now I will fetch directories from this page file using egrep and regex command by typing “ strings pagefile.sys | egrep -i “^[a-z]:\\\\” | less “
Below, you can see the file paths and directories extracted from this page file.
Finally, we will extract all the email addresses from this page file using the following command:“ strings pagefile.sys | egrep ‘([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})’ “
And I got the emails
By using this technique, we can also uncover sensitive information that may be crucial for investigating the case.
You can use cyberchef for getting regex command also
