Comments on: Memory acquisition and the pagefile(s) https://blog.mandiant.com/archives/1157?utm_source=rss&utm_medium=rss&utm_campaign=memory-acquisition-pagefiles-part-ii The Ammunition You Need to Find Evil and Solve Crime Mon, 06 Feb 2012 23:03:19 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Jamie Butler https://blog.mandiant.com/archives/1157/comment-page-1#comment-83 Jamie Butler Fri, 23 Jul 2010 16:08:19 +0000 http://blog.mandiant.com/?p=1157#comment-83 Parsing the filesystem for sectors that represent the pagefiles works on both NTFS and FAT/16/32. I will not go into all the details because Brian Carrier already wrote that book. You can use the Sleuth Kit binaries to validate this. Also, the slack space is not involved because the file has not been deleted. I can create an abstraction layer to read the pagefiles with an offset into the pagefile and a size just like the OS's APIs. You are correct that we do not know what page is paged out until the moment of translation (last bit of PTE is 0). This presents the biggest problem. Timing is everything, and the pagefiles are changing as we acquire and translate. That is why Memoryze only uses the pagefiles during a Live analysis. If we encounter a single page paged out at the moment of translation, we read the pagefile in question. That way the lag time is milliseconds instead of minutes. Thanks for reading. I look forward to discussing it more. Jamie Parsing the filesystem for sectors that represent the pagefiles works on both NTFS and FAT/16/32. I will not go into all the details because Brian Carrier already wrote that book. You can use the Sleuth Kit binaries to validate this.

Also, the slack space is not involved because the file has not been deleted. I can create an abstraction layer to read the pagefiles with an offset into the pagefile and a size just like the OS’s APIs.

You are correct that we do not know what page is paged out until the moment of translation (last bit of PTE is 0). This presents the biggest problem. Timing is everything, and the pagefiles are changing as we acquire and translate. That is why Memoryze only uses the pagefiles during a Live analysis. If we encounter a single page paged out at the moment of translation, we read the pagefile in question. That way the lag time is milliseconds instead of minutes.

Thanks for reading. I look forward to discussing it more.
Jamie

]]> By: sebastienbr https://blog.mandiant.com/archives/1157/comment-page-1#comment-81 sebastienbr Thu, 22 Jul 2010 16:05:50 +0000 http://blog.mandiant.com/?p=1157#comment-81 Nice post, thanks for sharing information on the pagefile! To have a complete memory dump, I agree that we need to acquire the pagefile(s) at the same moment we acquire the memory. But something seems wrong to me with the pagefile acquisition process. "tools typically parse the filesystem for access to the sectors that represent the pagefiles" First this technique only works with NTFS, right? There's no solution for FAT32? Also, if we use NTFS index to acquire pagefile sectors, our acquisition will have hdd slackspace. Here's a quick test I did: 1) Create a new disk on vmware, quick format to ntfs 2) Move the pagefile to the new hdd, reboot 3) Acquire memory + pagefile Pagefile acquisition is full of 00 (hdd slackspace). Do we really need to acquire this slackspace for memory analysis? I don't think so because this slackspace will be analysed in the post-mortem forensic analysis. Also, I don't think this slackspace is relevant to the state of a running computer (live memory analysis). When the CPU do a virtual to physical address translation, he knows that the page is in the pagefile when the last bit of the PDE (page directory entry) is 0. Can that be a better way to acquire the pagefile? 0) Full memory acquisition 1) Parse the VAD tree of each process and find every virtual page that is in the pagefile 2) Restore those pages from the pagefile to the memory 3) Acquire restored page in memory Thanks again for the series of post on the pagefile! Sebastien Bourdon-Richard Nice post, thanks for sharing information on the pagefile!

To have a complete memory dump, I agree that we need to acquire the pagefile(s) at the same moment we acquire the memory.

But something seems wrong to me with the pagefile acquisition process.

“tools typically parse the filesystem for access to the sectors that represent the pagefiles”

First this technique only works with NTFS, right? There’s no solution for FAT32?

Also, if we use NTFS index to acquire pagefile sectors, our acquisition will have hdd slackspace. Here’s a quick test I did:

1) Create a new disk on vmware, quick format to ntfs
2) Move the pagefile to the new hdd, reboot
3) Acquire memory + pagefile

Pagefile acquisition is full of 00 (hdd slackspace).

Do we really need to acquire this slackspace for memory analysis? I don’t think so because this slackspace will be analysed in the post-mortem forensic analysis. Also, I don’t think this slackspace is relevant to the state of a running computer (live memory analysis).

When the CPU do a virtual to physical address translation, he knows that the page is in the pagefile when the last bit of the PDE (page directory entry) is 0. Can that be a better way to acquire the pagefile?

0) Full memory acquisition
1) Parse the VAD tree of each process and find every virtual page that is in the pagefile
2) Restore those pages from the pagefile to the memory
3) Acquire restored page in memory

Thanks again for the series of post on the pagefile!

Sebastien Bourdon-Richard

]]> By: Jamie Butler https://blog.mandiant.com/archives/1157/comment-page-1#comment-66 Jamie Butler Thu, 08 Jul 2010 02:18:45 +0000 http://blog.mandiant.com/?p=1157#comment-66 Yes, Peter and I are still working on Memoryze for Windows 7 64bit. Peter made a lot of progress today. Beta should be available for Black Hat. Yes, Peter and I are still working on Memoryze for Windows 7 64bit. Peter made a lot of progress today. Beta should be available for Black Hat.

]]>