2

I was reading reasons for clearing page files on workstations with one reason listed is that passwords can be stored in the pagefile and therefore should be cleared upon reboot in the case of somebody compromising the computer physically. So I am posing the question as it doesn't seem quite right.

I could argue that password and Kerberos functionality has little chance to written to the page file as there is no reason for the system to page a very important process, during a period where resources are available the most (login). This would be a possible practical answer, but not ideal one. The attacker could replace the computer RAM with a small amount prior to the theft. I am wondering if this is possible under any circumstance.

If it can be compromised then would a domain situation be different? The password would be processed on the server.

DarkSheep
  • 333
  • 2
  • 13

1 Answers1

1

I think this journal paper answers your question -> http://iosrjournals.org/iosr-jce/papers/Vol16-issue2/Version-5/C016251116.pdf

However, if an attacker(A) has unrestrained physical access to the PC, he can cause a lot of damage. If A is masquerading as a computer help person, A could easily break into computers, wipe the BIOS password and then boot off of a CD/USB to install malware into the boot sector on HDD/SSD in the computer.

A could also do a cold boot or soft boot attack on the RAM to get its contents, but A wouldn't switch two RAM pieces. Switching SSD's/HDD's would make sense since they both store data, but changing the RAM doesn't do anything really.

If the computer is able to be physically compromised, that means there is an egregious security flaw that needs to be fixed immediately.

It is good to wipe the pagefile.sys though as it does mitigate any possible information leak, and allows a network admin to possibly notice the infected computer before it messes with the network.

crypto
  • 104
  • 5