This question follows on from a previously posted question on recovery of data from a wiped disk. I have been informed that no files have been found on the computer on the hard disk or in the deleted files (unallocated space / slack). Therefore if any file did exist on the computer (again, I was not aware of this) the deletion program I run periodically as a matter of course will have removed it (my hard drive turned out to be a HDD not an SSD or hybrid, see link above for some very good info on SSD drives). I am now told the "internet history" will be analysed, I am not so concerned about this as my internet browsing history will not contain anything that shouldn't be there. I am mainly concerned about a single file which may have been downloaded inadvertently with 100's+ of other files. I have looked at the legalities of recovery and therefore I am not so concerned about a file name, size, creation etc etc but more so in if a file / fragments of a file can be restored from other places other than the HDD and be viewed.
I've done some research and it seems the places of interest are the internet history cache (which I regularly clear with ccleaner as a matter of course), swap or page file and thumbnails. So I would like to ask some questions on the latter two.
Questions
Swap file - How does a swap file store data, what data is stored and for how long
1) I've read swap files are created and deleted periodically, and deleted swap files are moved to unallocated space, is this correct? Therefore would overwriting the free space remove past swap files?
2) How often is a new swap file created?
3) If this is true then how can information from some time ago be recovered from it?
Answer from @forest One file is used and it is changed when needed. I don't know if Windows creates a new swap file when it reboots or if it uses the existing one. I would think it just keeps using the existing one. So let's say some of this page in your computer's memory is put in swap. Imagine the ASCII string "will remain on the disk until" from my comment gets swapped. Let's pretend it is the only thing that is swapped, so you have a 1 GiB swap file (for example) with that 30 byte string somewhere in it. If that swap file is deleted, that string will still be on the disk until it happens to be overwritten by chance. If the swap file is deleted, then wiping free space should overwrite it, probably.
4) I've read intensive processes such as gaming, intense internet browsing (where numerous browsers / tabs are open), video editing, streaming etc etc can "flush" the swap file is this correct? How would one "flush" the swap file?
Answer from @forest It's generally not overwritten once it's in the swap file unless the memory pressure gets really high and the entirety of swap is used up. And a video would likely be stored in fragments unless there's pretty much no free memory remaining. It would usually be enough to identify what the video is.
5) As far as file recovery from a swap file, what form would this take? Would it be fragments? Could a larger file such as a video file (say 100 MB+) be recovered in full from the swap file?
Answer from http://www.forensicfocus.com/Forums/viewtopic/p=6530317 It is possible that you might find traces of one or more files but I would think it rather unlikely that you could recover an entire file for a couple of reasons. Finally, remember that the pagefile contains only those parts of the application which the OS determines does not need to be in physical memory. Typically that is less than the total program size including any open data files. In addition, unless the program loads all of the data into virtual memory, and many programs don't, you are unlikely to find all of your program (or all of your data), in pagefile.sys.
There is evidence that image files can be recovered quite easily from the swap file https://www.forensicfocus.com/Forums/viewtopic/t=10558/postdays=0/postorder=asc/start=7/ ... "Yes I found thousands of contraband images in the pagefile.sys."
Several papers deal with recovery of fragments from unallocated space https://www.researchgate.net/publication/313809224_Identification_and_recovery_of_video_fragments_for_forensics_file_carving https://ieeexplore.ieee.org/document/7856710/ https://link.springer.com/article/10.1007/s11042-016-3716-4
Video files seem to be not so simple... "Video files are particularly sensitive, because breaking news the chain in one spot can mean the entire file is garbage. I'm mostly a "push button" forensic analyst (being in a high volume law enforcement office), but even when trying to manually carve video the results are usually pretty bad. Unlike a JPG, which can show the beginning of the file from the top down (and garbage below that), video files don't handle interruptions well at all" https://www.reddit.com/r/computerforensics/comments/2qsaul/recover_deleted_video/
Also... https://link.springer.com/article/10.1007/s11042-016-3716-4 ... "Video files are more likely to be fragmented since their sizes are relatively large that recovering video files without the file system information is meaningful."
6) What about the movement of files i.e. if a file is copied / cut and pasted from one location to another? Are they stored in the swap file? Is there a certain allocation of space in the swap file for a process such as this? Would this cause the present movement of files to overwrite previously moved files?
Answer from @forest Swap is very complex, it doesn't store individual files, but pages of memory. Generally once something is in swap, it won't leave until the computer reboots or the swap file becomes very close to full. The specific algorithms that determine what is removed from swap under any given circumstance are complex and highly dependent on what exactly is happening on the system. If something got to swap, you should assume that it'll be lurking somewhere in the unallocated disk space for a very long time.
7) What kind of web browser data would be recoverable from a swap file? Images, video? Could part of a watched YouTube video be present in the swap file? (this question is just for interest and to understand the swap file a little more).
Answer from @forest A video from a browser is probably more likely to be stored in swap, since browsers are memory-hungry beasts. Video players at most cache only a small portion of the video, since they don't need to stream them over a network. Of course, if the video is stored on the disk then it shouldn't matter if it's in swap or not, since both swap and a video file are kept on the disk.
Answer from @SteveSether I would say a youtube video is unlikely to go to swap because primarily it's going to be buffered, then freed shortly after being played. As you said, memory that's infrequently accessed is more likely to be swapped, and a youtube video isn't long lived enough to be infrequent.
Pagefiles are black boxes. The reality is that even in high-memory computers, the pagefile can, and often is, actually used regularly, even when to an observer it would not be needed.
The larger the file you're seeking to carve, the less likely you will get it intact. Video data is by nature large, and depending on its codec, can be so highly compressed or dependent on other parts of the file that even if you find a chunk, it's unviewable.
The best chances for video file recovery would be to find the stored file in long term nonvolatile memory (e.g. HDD). If the video were streamed from a network then only the amount that is cached would be possible to be recovered (say, 10 seconds' worth or so). If you absolutely insisted on carving the pagefile, as a forensic examiner, I would also ask to have a live image of the RAM of the target computer, as it would be most likely to fill in any gaps or have a more intact copy than just the pagefile alone.
8) Will a computer first use RAM and then swap? I have heard conflicting opinions. Some say the swap file will be used first.
Answer from @forest If no memory-hungry processes are running and there is still a whole lot of free RAM, then it's likely that nothing or next to nothing will get swapped out. Swapping is done when the free memory is starting to run out. Answer from @forest Swap is only used if RAM is full because swap is so slow. The way it works is, data is sent to RAM. If there is not enough room, that data may be copied to swap so its place in RAM can be taken by data that needs it more. When the now swapped data has to be accessed, it's read bit by bit back into RAM, which is a very slow process, so it tries to swap as little as it can. When the RAM and swap is very full, the CPU has to rapidly move data ("thrashing") between RAM and disk, which is slow. I don't know exactly how aggressive Windows is with swapping, but it's very likely that, if you have 32 GiB of RAM and didn't open a whole lot of tabs or programs, then a couple of YouTube videos are unlikely to touch swap, at least not all of them. Of course, the browser probably saves browsing history. :P
From http://www.forensicfocus.com/Forums/viewtopic/t=15008/ ... Pagefile.sys exists in nearly every case, but nowadays a lot of PC have so much RAM that they do not swap any memory content into pagefile.sys.
"The pagefile is used even when free RAM is available by design.
Processes with less activity are paged away to make room for other memory claims. Consider Windows always first using all RAM. In the case RAM is full and a new application is started, Windows should identify which processes can be paged away, read them from ram, write them to disk, read teh new program from disk and load it in the freed RAM. This consumes a lot of time as disk read/write is a very slow operation, and all while the user is waiting for his program to start.
So to work around this performance hit, Windows will monitor memory usage and page away all that is not often used to keep RAM free for new processes that might start." https://social.technet.microsoft.com/Forums/windowsserver/en-US/994e9f48-f319-444b-a45e-226030ec3b6e/should-the-pagefile-be-used-even-if-i-have-sufficient-physical-memory?forum=winservergen
9) If a file or partial of a file is recovered from swap, is there any other data associated with it? i.e. time is was downloaded, viewed etc etc
From https://www.forensicfocus.com/Forums/viewtopic/t=10558/postdays=0/postorder=asc/ ... I would be concerned that data carved from pagefile.sys might not be sufficient, lacking temporal data.”
Thumbnails
1) I understand that thumbnail images are stored in thumbs.db (Windows 8). How much data is stored in this file? Is every single thumbnail ever created in there?
2) Is it possible that a thumbnail could be created of a file you didn't even realise was there?
I appreciated this is a lot of questions, but if anyone has any experience with any of these areas any information would be greatly appreciated.
