Memory, Pagefile and Hibernation file

Memory

• A device used to store information for immediate use in a computer

• This is an analysis of volatile data to find data which is not easily detectable on a hard drive

• A memory dump is a snapshot or capture of computer memory from a specific instant

• Attack data can often only exist in system memory instead of file memory.

Pagefile

• Pagefile.sys is used within windows OS to store date from RAM when it becomes full

• Can change size or be deleted which will change the speed of the computer.

• If deleted the system will not operate properly but it can be configured to store it on a different hard drive

Swapfile

• Linux version of page file

• Traditionally this is a partition but can be set up as a swapfile

• Easier to change size of swapfile than partition

• Sudo fallocate -l [filesize] /swapfile changes size of swapfile once swapfile is temporarily disabled

• To work out how much space is available use free -h

• Swapon -show can identify is its a file or partition

• Can also adjust how frequently the swap space gets used

Hibernation file

• Introduced in windows 2000

• Allows OS to store current state of operation when computer is turned off

• This copies everything from memory to a file called hiberfil.sys on the disk

Hashing and Integrity

• Hash values are text strings

• They provide a unique identifier for a file

• In forensics, a hash will be taken before a system is copied. A hash of the copied system will then be taken. If both are the same then these are exact copies.

• Hashcat can be used to perform dictionary attacks against hashes

• This is most often used against credentials

• Hashcat -m 0 <hashfile.txt> <wordlist.txt>