If you recall from earlier in the chapter, some software tools that run on live systems can collect page files(s) at the time of acquisition. Whether you’ve used one of those tools or extracted the file(s) from a disk image, the options for an in-depth analysis of page file contents are relatively limited. Remember that a page file is just an unordered set of puzzle pieces—without page tables to provide the necessary context, you can’t determine how they fit into the larger picture. Acquisition and Analysis of Windows Memory by Nicholas Paul Maclean (http://www.4tphi.net/fatkit/papers/NickMaclean2006.pdf) initially described the possibility of supplementing raw memory dump analysis with data from the page file(s) to provide a more complete view of physical memory. However, for the most part, the practical implementations of this technique have been unverified or inaccessible.
HBGary Responder’s documentation states that it supports page file analysis. Also, WinDBG advertises support page file integration (see http://msdn.microsoft.com/en-us/
library/windows/hardware/dn265151%28v=vs.85%29.aspx). Specifically, according to the documentation, you should be able to create a CAB file that contains a memory dump and page file(s) and analyze it with the debugger. However, a discussion on the OSR mailing list indicates that the claim is largely false (or simply outdated) (http://www.osronline.com/
showthread.cfm?link=234512).
Although page file analysis is on our roadmap, at the time of this writing, you can-not perform such an analysis with Volatility. Thus, your best investigative options cur-rently are those that do not involve context or structured analysis of the data—such as
Memory Acquisition
111
strings, antivirus scans, or Yara signatures. In fact, Michael Matonis created a tool called
page_brute (see https://github.com/matonis/page_brute) that analyzes page files by split-ting them into page-sized chunks and scanning each chunk with Yara rules. The default set of Yara rules distributed with the tool can discover HTTP requests and responses, SMTP message headers, FTP commands, and so on. As always, you can add to the default rules or create your own rule sets to customize the scans.
Let’s assume that you’re investigating the machine of a suspect who is accused of buy-ing and sellbuy-ing controlled substances online. The suspect’s browser was configured not to cache content to disk and not to maintain a history file. Furthermore, the computer system was not running at the time of seizure, so all you have is a forensic disk image. By locating and extracting the page file(s), you hope to find some evidence of the suspect’s involvement in the alleged crime. You build the following Yara rule to assist your search:
rule drugs {
strings:
$s0 = "silk road" nocase ascii wide $s1 = "silkroad" nocase ascii wide $s2 = "marijuana" nocase ascii wide $s3 = "bitcoin" nocase ascii wide
The rule named drugs will trigger on any page in the page file that contains one of the listed strings. The following command shows how to execute the scan:
$ python page_brute-BETA.py -r drugs.yar -f /media/external/pagefile.sys [+] - YARA rule of File type provided for compilation: drugs.yar
... Ruleset Compilation Successful.
[+] - PAGE_BRUTE running with the following options:
[-] - PAGE_SIZE: 4096 [-] - RULES TYPE: FILE
[-] - RULE LOCATION: drugs.yar [-] - INVERSION SCAN: False
[-] - WORKING DIR: PAGE_BRUTE-2014-03-24-12-49-57-RESULTS =================
Part I: An Introduction to Memory Forensics
112
[!] FLAGGED BLOCK 58663: drugs [!] FLAGGED BLOCK 58670: drugs [!] FLAGGED BLOCK 58684: drugs [!] FLAGGED BLOCK 58685: drugs [!] FLAGGED BLOCK 58686: drugs [!] FLAGGED BLOCK 58687: drugs [!] FLAGGED BLOCK 58688: drugs [!] FLAGGED BLOCK 58689: drugs [snip]
The number following the FLAGGED BLOCK message is the index of the respective page in the page file. Each page that matches a signature extracts in the working directory (PAGE_BRUTE-2014-03-24-12-49-57-RESULTS) named according to the index. You can then individually analyze the extracted blocks or, for a quick initial look at the data, just run
strings against the entire directory, like this:
$ cd PAGE_BRUTE-2014-03-24-12-49-57-RESULTS/drugs
$ strings * | less
https://bitcoin.org/font/ubuntu-bi-webfont.ttf chrome://browser/content/urlbarBindings.xml#promobox https://coinmkt.com/js/libs/autoNumeric.js?v=0.0.0.8 Bitcoin
Getting
https://bitcoin.org/font/ubuntu-ri-webfont.svg https://bitcoin.org/font/ubuntu-ri-webfont.woff wallet
Z N
http://howtobuybitcoins.info/img/miniflags/us.png
http://silkroaddrugs.org/silkroad-drugs-complete-step-by-step-guide/#c-3207 Location:
you want to also check out Silk Roads biggest competitor the click silkroad6ownowfk.onion/categories/drugs-ecstasy/items
http://silkroaddrugs.org/silkroad-drugs-complete-step-by-step-guide/#c-2587 [snip]
Despite the suspect’s attempt to minimize artifacts of his browsing history, you could still find evidence of the activity by examining the page file. The point is that it is much more difficult to hide or erase artifacts in memory as opposed to those on disk, especially when the OS transparently writes parts of the memory to disk during routine operations such as paging.
Memory Acquisition
113
NOTE
Users running Windows 7 or later can optionally encrypt the system paging files with the Encrypting File System (EFS). Although it’s disabled by default, you can type
fsutil behavior query EncryptPagingFile at an administrator command prompt to see the current status.
On Linux, swap is actually a partition rather than a file (you can list the location with
cat/proc/swaps or by looking in /etc/fstab). However, you’ll need a disk image to access the content. For Mac OS X, the swap is encrypted by default since 10.7. You can list the files in the /var/vm directory or query the status with the sysctl command, as shown here:
$ ls -al /var/vm/*
-rw---T 1 root wheel 2147483648 Mar 2 11:24 /var/vm/sleepimage -rw--- 1 root wheel 67108864 Apr 9 09:24 /var/vm/swapfile0 -rw--- 1 root wheel 1073741824 Apr 28 22:28 /var/vm/swapfile1 -rw--- 1 root wheel 1073741824 Apr 28 22:28 /var/vm/swapfile2
$ sysctl vm.swapusage
vm.swapusage: total = 2048.00M used = 1061.00M free = 987.00M (encrypted)