Hi, Bypassing the file system and directly accessing the disk can easily dump any disk block. Disk Probe from the NT Resource Kit can do this. The hard part is figuring out which blocks the pagefile(s) is/are using. I am not aware of any easy to use "script kiddie" tools that will accomplish this, but would like to find one. Another way to access the pagefile(s) would be to use a kernel level debugger. This is not for the faint of heart. If the attacker has access to the contents of the pagefile(s), they already have full control over the system. With the obvious exception of decrypted passwords, making sense of the contents is going to be something of a challenge. Since the attacker has already been caught blowing smoke, I would tend to agree with H C's assessment. Pmdump.exe is limited to dumping a process's current image, and can easily miss pages that had been used and then freed. It will also miss seeing any surviving pages from processes that have terminated. B Cing U Buck H C <keydet89 @yahoo.com> To: forensicsat_private cc: avanderstock@b-sec.com.au 07/31/2002 Subject: re: Pagefile for reader/dumpers NT? 08:32 AM > I have an attacker who claims he was able to read the > contents of a live NT pagefile which helped him attack > further. So far, we have shown that a few of his other > claims are without merit, but this one has stumped me. You may have answered your own question...both technically, and in the fact that this attacker's other claims are "without merit". Could be all boasting just to throw you off... I am not familiar with any tools that do what you describe...the only thing that remotely comes close that I know if Arne's pmdump.exe utility from NTSecurity.nu...and that doesn't work specifically on the pagefile. Carv __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 06:47:54 PDT