pagefile.sys

[AndyzBong]

I was wondering how exactly I go about viewing possible unencrypted passwords in the pagefile.sys file. I know that I would need a Linux Live CD in order to extract the file, but would I need forensic software to view the plain-text passwords?

Any links or info would be greatly appreciated.

[Sparda]

a ASCII/Unicode viewer (takes any file and displays it's contents as either ASCII or Unicode), which is basically a text editor.

[Sparda]

/me ignores that no one else has replied yet.

I just forced power off, booted Kubuntu (which is actually installed on this computer) and opened the page file in Kate (took a while though). I managed to find my MSN password stored as ASCII there (although I actually had to search for the passwordit's self. It's not like it has "msn_password:" before it :P). It was actually in there a couple of times as well. Couldn't find any thing more valuable like Firefox master password.

[SomeoneE1se]

/me ignores that no one else has replied yet.

I just forced power off, booted Kubuntu (which is actually installed on this computer) and opened the page file in Kate (took a while though). I managed to find my MSN password stored as ASCII there (though I actually had to search for the passwordit's self. It's not like it has "msn_password:" before it :P). Couldn't find any thing more valuable like Firefox master password.

It would be interesting to see if the characters around it were the same it might not say msnPassword but it might be the same so searching for that string might yield a password

[unasoto]

I'm about to go to bed but I woundered same thing Vako did. Tomorrow I'm going to do the same thing and post my 10 digits that are in front of my passwords and then the last 10 digits and if others do the same thing we might find some kinda tag? :)

/me not nub enough to post my password :P

[digip]

I'm about to go to bed but I woundered same thing Vako did. Tomorrow I'm going to do the same thing and post my 10 digits that are in front of my passwords and then the last 10 digits and if others do the same thing we might find some kinda tag? :)

/me not nub enough to post my password :P

What if that was your passwords hash....

[cooper]

I was under the impression that passwords are kept (as long as they are in fact kept) in a locked memory page which would preclude them from being written away in the pagefile.sys file.

The correct (and, I would assume, normal) way to deal with this is to lock the memory page, read the password into it, use it in whatever way to obtain a session key, clear out the page, and then unlock it again. Use the session key from that point on, which will time out after, say, 30 minutes of inactivity.

[Shaun]

I'm about to go to bed but I woundered same thing Vako did.

VaKo?

[lunex]

/me ignores that no one else has replied yet.

I just forced power off, booted Kubuntu (which is actually installed on this computer) and opened the page file in Kate (took a while though). I managed to find my MSN password stored as ASCII there (though I actually had to search for the passwordit's self. It's not like it has "msn_password:" before it :P). Couldn't find any thing more valuable like Firefox master password.

It would be interesting to see if the characters around it were the same it might not say msnPassword but it might be the same so searching for that string might yield a password

Most likely not. Strings are usually stored alone in an object heap. However it is still possible that it is being stored as a static length array of characters that is embedded into a larger structure. I do happen to know that passwords for Passport are limited to 16 characters. This limitation means that it could be part of a structure, but that would be a very unusual practice.