Tiêu đề Live Forensics_ Pagefile.pdf ✅

root@root:-> vi Blog.txt - - Blog: https://eyehatemalwares.com -:wq root@root:-> vi Mission.txt - - To Provide free quality education regarding - Blue Teaming and guide startup individuals - to identify their passion and improved their - skill set in the field of Cybersecurity. -:wq root@root:-> vi Vision.txt - - With quality content and education, We - will make the future of cyberspace a safe - environment for every individual. -:wq root@root:-> vi DISCLAIMER.txt - - The opinions expressed in this blog are my own views, - and I have based my review on my personal research. All the - content in this blog is completely original; this might mention - any other blog post, magazine article, any book, and there- - fore I regret any resemblance with any of the aforementioned, - and would like to assure you that it was unintentional. Moreover, - I do not intend to be offensive towards anyone who read this blog, - if anything written can be perceived as hurtful to any community - or person, I apologize, but that was not the sole purpose of writing - it. -:wq
2 Table of Contents Live Forensics: Why Live Forensics? .........................................................3 Lab Details .................................................................................3 Live Forensics: What is Pagefile? ..............................................................4 Locate Pagefile ............................................................................4 Export Pagefile ............................................................................5 Pagefile.sys Analysis ....................................................................7 Reference ............................................................................................11
3 Live Forensics Artifact: Why Live Forensics? During an engagement, there are times that performing dead-box forensics on a suspected endpoint isn’t feasible. Capturing the volatile image of a production server while it's currently operating can be problematic not only for the server itself but also for the integrity of the data during the acquisition since the server memory is constantly changing. In this case, analysts should be able to perform live forensics as an alternative to dead-box forensics. This forensic procedure usually depends on the analyst's expertise and understanding of where to look for artifacts that might aid in the investigation, even though obtaining the system's memory image is not achievable. Live forensic artifacts can be a valuable source of information for it contains almost the same data as the acquired memory image of the endpoint. This alone can give the analyst a peek of information about what happened to the endpoint and be able to timeline the incident. In this article, we will tackle one of the alternative forensics artifacts that can somehow replace memory image as a source of information to conduct Incident Response and Digital Forensics, also we will discuss few techniques, use cases and quick demonstration on how to pull this artifact source using forensic tools and built-in LOLBin(Living Off The Land Binaries). Lab Details Machine: VMware - Windows 7x64 Tools Used: ● Windows Registry Editor ● Access Data FTK Imager ● Strings - Sysinternals ● Photorec ● Bulkextractor
4 Live Forensics Artifact: Pagefile What is a Pagefile? A pagefile is a section of the hard disk that serves as virtual memory. It is utilized as an extension to the system's RAM to enhance performance for frequently used applications and data. This file may also be used to support system crash dumps and helps the system to function more smoothly by lowering the stress on the memory. In the root directory where the operating system is installed, Windows Pagefile is located in a form under pagefile.sys. Simply said, when the system senses that an application is using more memory than the system's RAM since pagefile functions as an extension to the physical memory, Windows' paging method is utilized to store the data on pagefile.sys file (or also known as Virtual Memory). There are ways to check and extract this file on the system which will be discussed later on. Locate Pagefile.sys 1. Using Windows Registry Editor ● Open Windows Registry Editor ● Find pagefile location by navigating to: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ExistingPageFiles