Home Software Pagefile forensics: page_brute

Pagefile forensics: page_brute


page_brute.py is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows Page Files by appying YARA-based signatures to fix-sized blocks of pagefile.sys.

This tool can be used to:

  • Disambiguate evidence within pagefile.sys by logically grouping blocks/pages into categories based on YARA rulesets of forensic artifacts that follow a pattern/convention.
  • Identify page files that contain remanants of popular cleartext protocols such as HTTP/FTP, etc to identify network activities.
  • Identify potential attacker activities based on popular command syntaxes used during internal propagations.
  • Identify evidence of active malware infections based on YARA signatures for known malware.
  • Isolate page files that contain signatures/magic values for popular file formats for more precise file carving.

Learn more about the tool at GitHub.

Load More Related Articles
Load More In Software
Comments are closed.