Difference between pages "Pagefile.sys" and "CUE Sheet format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(See also)
 
Line 1: Line 1:
Microsoft [[Windows]] uses a '''paging file''', called <tt>pagefile.sys</tt> to store frames of memory that do not current fit into [[physical memory]]. Although Windows supports up to 16 paging files, in practice normally only one is used. This file, stored in <tt>%SystemDrive%\pagefile.sys</tt> is a hidden system file. Because the operating system keeps this file open during normal operation, it can never be read or accessed by a user. It is possible to read this file by parsing the raw file system (e.g. using [[The Sleuth Kit]]).
+
The '''CUE sheet''' format (.cue) file is often used in combination with .bin or .iso file(s) to define the track and/or session layout of an optical disc.
  
== Analysis Options ==
+
== Contents ==
  
Data is stored in the paging file when Windows determines that it needs more space in physical memory. Because storage locations in the paging file are not necessarily sequential, it is unlikely to find consecutive pages there. Although it is possible to find data in chunks smaller than or equal to 4KB, its the largest an examiner can hope for.  
+
The '''CUE sheet''' is a text based format that contains commands which specify the layout.
  
Sadly, the most productive method to date for analyzing paging files is searching for [[strings]]. It is possible to [[Carving|carve out files]], but as noted the examiner is unlikely to find anything larger than 4KB.
+
== History ==
  
== See Also ==
+
The CUE sheet originates from CDRWIN, but various additions have been made like the CDTEXT and IsoBuster extensions.
* [[Windows Memory Analysis]]
+
  
== External Links ==  
+
== See also==
  
* [[Nicholas Maclean]] published his thesis on [[Windows Memory Analysis|Windows memory analysis]] and discussed the paging file. Unfortunately the document does not appear to be online anymore.
+
* [http://en.wikipedia.org/wiki/Cue_sheet_%28computing%29 Wikipedia on CUE sheet]
* ''[http://www.jessekornblum.com/research/papers/buffalo.pdf Using Every Part of the Buffalo in Windows Memory Analysis]'' - A paper discussing the different states of memory including where to find data in the paging file
+
* [http://code.google.com/p/libodraw/downloads/detail?name=CUE%20sheet%20format.pdf CUE sheet format]
* ''[http://www.microsoft.com/MSPress/books/6710.aspx Microsoft Windows Internals]'' - An excellent guide to the inner workings of Microsoft Windows
+
 
 +
[[Category:File Formats]]

Latest revision as of 05:12, 2 April 2013

The CUE sheet format (.cue) file is often used in combination with .bin or .iso file(s) to define the track and/or session layout of an optical disc.

Contents

The CUE sheet is a text based format that contains commands which specify the layout.

History

The CUE sheet originates from CDRWIN, but various additions have been made like the CDTEXT and IsoBuster extensions.

See also