How to extract forensic artifacts from pagefile.sys?

Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory.
This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.

It is possible to read this file by parsing the raw file system, or exact it using tools like FTKImager.

Contrary to hybernation files, page files cannot be processed with Volatility: in fact the page file is just the “holes” in memory where blocks are stored to disk, it will often contain information that can be relevant to the case you are trying to solve.

Because storage locations in the paging file are not necessarily sequential, it is unlikely to find consecutive pages there.
Although it is possible to find data in chunks smaller than or equal to 4KB, its the largest an examiner can hope for.
So, the most productive method for analyzing paging files is searching for strings.


Analysis with “strings” command

To start your analysis on the page file you could use the strings command.

Here some suggestions:

List all paths in pagefile
 $strings pagefile.sys | grep -i "^[a-z]:\\\\" | sort | uniq | less 
Search for enviroment variables
$ strings pagefile.sys | grep -i "^[a-zA-Z09_]*=.*" | sort -u | uniq | less
Search for URLs
$ strings pagefile.sys | egrep "^https?://" | sort | uniq | less
Search for email addresses
$ strings pagefile.sys | egrep '([[:alnum:]_.-]{1,64}[email protected][[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})' 

Analysis with YARA rules

Furthermore, you may scan the pagefile.sys using YARA.
Using (for example) the set of rules obtained with this method, you may scan the pagefile in order to seek some malware artifacts not found in the volatile memory:

$ yara malware_rules.yar pagefile.sys

Additional readings

One comment

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.