The 2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast)

Swap files Anti-Forensics on Linux

Erwid Jadied
School of Computing
Telkom University, Bandung, Indonesia
Email:jadied@telkomuniversity.ac.id

Abstract—Swap file has potentially interesting and size of 1 MiB then this process will occupy 3
rich source of digital evidences. Password, crypto- memory page in the memory. Swapping is happens
graphic key, private data and sensitive data can be if our memory is (relatively) full but there are still
found in the swap file. With a simple technique such
as string matching, digital evidences can be easily more process needed to run. When this happens,
found and identified. There is minimal research on our process X will be evicted from memory to disk
swap file anti-forensics. We found that most of swap (hard disk) and new process Y will occupy memory.
file anti-forensics techniques are still vulnerable to live There is no standard structure on how OS will place
acquisition. So, we propose 2 swap file anti-forensic memory page to swap file. From examinerâĂŹs
technique: inject live swap file and fake swap file.
Inject live swap file is created by injecting(flooding) perspective, swap file is just structureless chunk
fake data to live swap file using a custom script. Fake collections of 4 KiB data.
swap is created by manipulate swap file header then Swap file has potentially interesting and rich
filling swap file with fake artefacts of our choosing. source of digital evidences. Password, crypto-
We perform this technique before user begins his/her graphic key, private data and sensitive data can be
usual activities. We able to implement Inject live
swap file technique but with disadvantage of private found in the swap file. With simple technique such
and sensitive data leak. Making fake swap file is as string matching or carving file, digital evidences
relatively easy and without data leak. Although these can be easily found and identified [3]. On the
two approaches do not solve the problem of live other hand, implementation of swap file still lack of
acquisition, it could confuse, mislead and wasting security features [2]. Therefore, we need swap file
examiner’s time.
anti-forensics to protect our private and sensitive
I. I NTRODUCTION data. This research is only focused on Swap file
Linux OS.
A. Background and Motivation
B. Contributions
Swapping is a process that interchanges the con-
tents of an area of main storage (memory) with Main contributions of this paper are:
the contents of an area in secondary memory (hard • Identification of swap file anti-forensics tech-
disk) [1]. Swapping is always associate with I/O niques using CAF (Computer Anti-Forensics)
operation. Swap file is file in the disk for swapping Classification [4].
purpose. Swapping and swap file is created and Most research on anti-forensics is still focused
managed by OS (operating system). In Windows on memory anti-forensic and very little on
swap file is called pagefile and on Linux is called swap file anti-forensics. Although memory and
swap file. swap file is very closely related, swap file
Swap file is structureless collection of memory is different from memory from perspective
pages (block/chunk) [2]. In modern OS, memory is of forensics. In this paper we made list of
partitioned into hundreds of memory pages. Mem- anti-forensics techniques for swap file, its ad-
ory page usually has predetermined fixed size (4 vantages and disadvantages, vulnerability, data
KiB for example). So if we have process X with leak and complexity.

978-1-4673-9791-9/16/$31.00 ©2016 IEEE 73

The 2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast)

• Propose 2 (two) simple anti-forensics tech- 2) Anti-forensics Based on Techniques vs. Tac-
niques: inject live swap file and fake swap tics.
file. These 2 simple techniques are created to It classifies techniques based on how general
confuse, mislead and wasting examiner’s time. or specific attack could be carried out. Tech-
niques refers to general anti-forensics (deleting
C. Outline data, disabling, etc.). Tactics refers to crashing
After this introduction, we will review existing specific tool or defeating special methods.
research on swap file anti-forensics. In methodology 3) Anti-forensics Based on Traditional vs. Non-
section we will outline our anti-forensics technique Traditional:
and testing method. In result and discussion we will • Traditional: overwrite data, cryptography,
present our finding. steganography and any data hiding tech-
niques. More focus on data.
II. L ITERATURE R EVIEW • Non-Traditional: memory injection, anony-

A. Anti-forensics mous storage, bug exploitation on tools, etc.

This category attacking process and tools
Anti-forensics is simply defined as opposite of to evade detection, confuse examiner and
forensics work. casting doubt on forensics result.
"To hinder the efforts of Computer Forensics,
In this paper, we choose Traditional vs. Non
criminals work doggedly to instigate, develop and
Traditional classification because we think this clas-
promote counter techniques and methodologies, or
sification is very flexible and able to accommo-
what is commonly referred to as Anti-Forensics.
date newer technique in the future. To fill each
If we adopt the definition of Computer Forensics
classification with swap file anti-forensics we will
(CF) as scientifically obtaining, examining, and
curate existing and newer swap file anti-forensics
analysing digital information to be used as evidence
techniques from [5] and other references. For each
in a court of law, then Anti-Forensics can be defined
category, we will perform evaluation based on data
similarly but in the opposite direction" [4].
leak, security performance and relevant parameters.
Therefore, anti-forensics try to eliminate and ob-
scure digital evidences and/or try to make examina- C. Swap File Anti-Forensic
tion and forensics analyses difficult or impossible to 1) Traditional
be performed. Evading from detections, disturbing
1.1. Overwrite
collection process (making it harder), increasing
time for examiner to handle the case and casting i) Data Overwrite.
doubt on expert testimony and result of software This technique will securely delete swap
forensics are some goals of anti-forensics. It simply file, not just standard deletion. There
makes examiner’s works difficult. is already anti-forensics tool for this
technique. It is called sswap1 . sswap
B. Classification of Anti-forensics use secure deletion method proposed by
Peter Gutmann (1x overwite with 0xff,
There are many classifications for anti-forensics
5x overwrite with random number, 27x
in general. The following are the most commonly
overwrite with special number specified
used [4]:
by Gutmann and 5x overwrite with ran-
1) Anti-forensics Based on Attack target. dom number). To securely delete swap,
It classifies techniques based on attack target. we must be unmounting first then we
We able to attack data (makes read or extract can delete it. We must manually create
data difficult), attacking tools (makes tools do a script and configure it. If we use swap
not working as it should) or attacking investi-
gator. 1 http://www.thc.org/

978-1-4673-9791-9/16/$31.00 ©2016 IEEE 74

The 2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast)

file (instead of swap partition), we able file. Swappiness is parameter on Linux OS

to use standard secure deletion tools to configure how often swapping occurs.
such as: srm, shred, dd or wipe. Swappiness is not reliable way to prevent
Advantages: No digital evidences if data creation (as we found it in our exper-
properly done. Tools is already exist. iment). mlock() is library on Linux to lock
Disadvantages: Long deletion time part of memory. Programmer able to explic-
especially for huge swap file. This will itly to command OS not to do swapping.
affect user experiences. mlock() level is in the source code level.
Vulnerability: Still vulnerable to live Programmer must specify what part of code
acquisition if deletion is not complete. 2 must reside in the memory. This technique
Complexity: User must manually create usually used in the embedded system. Also,
custom script to automate deletion mlock() only able to locking small size
process. of process. Disabling swap file will ensure
that no data creation in the swap file. It
ii) Metadata Overwrite is easy to do. Effect of disabling swap file
Path of swap file and system’s configura- to system performance is very depends on
tion is example of metadata. Overwriting system configuration and usage.
this metadata will make identification of Advantages: No digital evidences in swap
swap file position harder. Especially if file at all.
we use multiple partition swap file in Disadvantages: Performance issues.
external storages or unusual name for Vulnerability: None.
swap file. On Linux, swap file path is Complexity: Simple. Just disable swap file.
managed by kernel. To overwrite meta-
data means modify kernel. This requires 1.3. Data Hiding
high technical skill and ordinary users i) Cryptography
do not able to do it. Swap file also Full Disk Encryption on the swap parti-
easily identified because swap file has tions or swap file will prevent examiner
special signature (SWAPSPACE2). Ex- to recover digital evidences. There are
aminer just do some string matching many tools encrypt whole disk including
with keyword SWAPSPACE2. swap files (example: dm-crypt). Draw-
Advantages: Slightly delayed examiner backs of this technique are performance
analyses, swap file is easily identified. issue and situation when examiner able
Disadvantages: Effort to overwrite is to get computer while it still on because
higher. It also affect system usability. decryption key is still in the memory and
Vulnerability: Overwrite is eventually examiner able to get it.
recognizable by experts. More general solution for this technique
Complexity: We must modify kernel or is to encrypt memory. Encryption of
/proc. memory means encryption of swap file
because swap file is memory extension.
1.2. Preventing Data Creation Not activating Special tools to encrypt memory are:
swap file means no data creation in the swap TRESOR [6] dan Cryptkeeper [7]. TRE-
file, hence no digital evidences. There are SOR is CPU-only encryption, key is
at least 3 ways prevent data creation: swap- inside CPU register. Cryptkeeper divide
piness setting, mlock() and disable swap memory as cleartext memory and en-
crypted memory. Swapping is only per-
2 https://www.whonix.org/wiki/Advanced_Security_Guide formed for encrypted part.

978-1-4673-9791-9/16/$31.00 ©2016 IEEE 75

The 2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast)

Advantages: Digital evidence is hard fill it with fake artefacts. Later, we use this
to acquire if this technique properly modified swap file as legitimate swap file.
implemented. 2.2. Attacking Forensic Tool
Disadvantages: Performance issues [8]. For this technique, we will give example
Vulnerability: Still vulnerable to live how to defeat tool called Page brute. Page
acquisition. brute is signature based software to extract
Complexity: Tools are already exist. artefact in swap file. Page brute will scan-
ning block by block (4096 byte). If block
ii) Partition Hiding swap file or swap par- is NULL then Page brute will skip it. If
titions can be hidden in legitimate parti- not NULL then pattern inside block will be
tion. Example of this technique is True- matched with rule set created by YARA.
crypt‘s hidden partition. Hidden partition YARA is tools to create rule set based on
hides inside legitimate partition. User signatures. To defeat Page brute, technique
must run their software to hide partition called One-Byte Abort Factor [9] is im-
then activate swap with path to hidden plemented. Basic idea of One-Byte Abort
partition. Factor is we must know signature used by
Advantages: Tools are already exist. Page brute then we modify 1 byte of our
Disadvantages: Difficulty to hide big artefacts to escape automatics detection.
swap file. Advantages: Increase examiner time to
Vulnerability: Still vulnerable to live perform analyses. Casting doubt on result.
acquisition. Disadvantages: Only works for specific
Complexity: Relatively easy to use. forensics tool.
Vulnerability: None.
2) Non-Traditional Complexity: We must understand inner
2.1. Artefact Injection working of tool
Basic ideas about this technique are: first,
we want to increase false positive rate. Most
examiner is depends on forensics software. D. Related Works
Injecting fake artefacts will make exami-
nation longer (noise is higher than signal). Swap file compression [2] is technique to analyse
Second, artefacts is easily created. We able RAM (memory) and swap file on Mac and Linux
to create and implant artefact easily. OS. Swap file compression make swap file foren-
On memory forensics, there is tool called sics more difficult to do. swap file encryption is
ADD3 . This tool will inject new process encryption for swap file, [8] comparing performance
into memory using known signature (exam- of Windows based encryption tools. Some attempt
ple:malware process). No one yet propose have been done to convert swap file to virtual
this kind technique for swap anti-forensics. memory (integrate between memory and swap files)
This paper propose injection of fake artefact but still only on Windows OS using Volatility
to swap files. We injecting swap file using [10] and Rekall [11] Framework. Page brute page
two techniques: inject live swap file and fake brute4 is crude version to extract swap file. Some
swap file. In the inject live swap technique, anti-forensics technique attacking specific tools is
we perform some fake user activities then documented by [12]. And there is ADD 5 memory
forcing it to swap file. In the fake swap anti-forensic to confuse examiner.
file technique, we create new swap file then
4 https://github.com/matonis/page_brute
3 https://code.google.com/archive/p/attention-deficit-disorder/ 5 https://code.google.com/p/attention-deficit-disorder/

978-1-4673-9791-9/16/$31.00 ©2016 IEEE 76

The 2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast)

III. M ETHODOLOGY 2) Step by Step Procedure:

A. Inject Live Swap File a Create blank file. Create a new file with certain
1) Basic Idea: Most common technique to force fixed size initialized all with 0x0. We use dd
OS doing swapping is by flooding memory with to achieve this goal. Example: 512 MiB swap
special program [8], [10]. First we prepare a fake file with 1 KiB chunk
artefacts. Fake artefacts is something under our dd i f = / dev / z e r o o f = / s w a p f i l e 1
control and we want to inject it to swap file. b s =1024 c o u n t =524288
Example of fake artefacts is active firefox browser
process. Second, we will create special program to b Fill file with minimum swap file signature.
force OS doing swapping. We call this program Minimum signature for swap file is magic code
swapforcer6 . It will create new big dummy process SWAPSPACE2 in the 0xFF6 offset and some
by using syscall malloc() or calloc(). Third, we run data structure around offset 0x4007 (see figures
2 or more time swapforcer to force swapping. 1, 2, 3).
2) Step by Step Procedure:
O f f s e t 0 x400 : swap v e r s i o n = 1
a Disable all swap file (0100 0000)
c a t / p r o c / swaps O f f s e t 0 x404 : number o f p a g e s =
sudo swapoff / p a t h _ t o _ s w a p f i l e ( b s ∗ c o u n t / 4 0 9 6 ) −1
O f f s e t 0x40C : UUID
b Create swap file
O f f s e t 0 xFF6 : magic SWAPSPACE2
dd i f = / dev / z e r o o f = / s w a p f i l e 1
b s =1024 c o u n t =524288 # v e r s i o n =1 , number o f p a g e s =
s u d o mkswap / s w a p f i l e 0 xff6
chown r o o t : r o o t / s w a p f i l e e c h o −e " \ x01 \ x00 \ x00 \ x00 \ x f f \
chmod 0600 / s w a p f i l e x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 "
s u d o swapon / s w a p f i l e |
c Create fake artefact. Our artefact will be dd o f = . / z e r o b s =1 s e e k =1024
small and simple process filled with pattern of conv = n o t r u n c
0xdeadbeef.
d Run 2 or more special program swapforcer #Swap UUID a t o f f s e t 0x40C
big enough to force swapping. Sum of size of (1036)
swapforcer must greater than physical size of e c h o −e " \ x7b \ xa6 \ x74 \ x4c \ x 6 f \
memory. x e f \ x41 \ x3e \ x93 \ xd4 \ x31 \ x54 \
xa8 \ x4d \ x e e \ x45 " |
B. Fake Swap File
dd o f = . / z e r o b s =1 s e e k =1036
1) Basic Idea: Basic idea of fake swap file is conv = n o t r u n c
we create fake swap file but never used by OS.
This fake swap file will be filled with fake artefact #SWAPSPACE2 a t o f f s e t 0 x f f 6
to confuse examiner. Main difficulty to create fake (4086)
swap file is fake swap must be closely resemble e c h o SWAPSPACE2 | dd o f = /
of real swap file. We will use structureless char- s w a p f i l e b s =1 s e e k =4086 conv
acteristic of swap file to our advantage. Two im- =notrunc
portant characteristics of swap file are its signature
and block size. Once we able to manipulate these c Fill swap file with fake artefacts Fake artefacts
characteristics we will make good fake swap file. can be anything (malware, procotol http, com-
6 https://www1.cs.fau.de/virma 7 https://github.com/file/file/blob/master/magic/Magdir/linux

978-1-4673-9791-9/16/$31.00 ©2016 IEEE 77

The 2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast)

Fig. 1. Version, page number and UUID of legitimate swap file. Fig. 3. SWAPSPACE2 signature at offset 0xFF6.

Fig. 2. UUID at offset 0x40C. This UUID is generated by

program called mkswap. Fig. 4. Examination on swap file using xdd. Target is process
with pattern 0xdeadbeef.

mand, random data /dev/random,etc). Impor-

tant point to create fake artefact is its alignment We found data leak in this technique. Most of
and data format(endianess). process (legitimate or fake) is also swapped by OS.
To minimize data leak, we must perform flood-
c a t malware | dd o f = / s w a p f i l e
ing/injection before we do any activities.
b s =1 s e e k =" o f f s e t " conv =
notrunc
B. Fake Swap File
C. Evaluation We are successfully implementing fake swap file.
To evaluate our techniques, we are using follow- We validate this by mounting our fake swap file
ing criteria: then examine its content. Making fake swap file
is relatively easy to do and no data leak. Possible
1) Artefacts finding
source of data leak is from UUID or mistakenly
We use following tools: xxd, grep, Page brute
filling out swap with fake artefacts. To make fake
and rekall to find specific pattern. If our fake
swap believable, we also add entry in our /fstab
pattern is found with legitimate artefact then
pointing to our fake swap.
we count our technique as a success.
2) Live Acquisition
C. Discussion, Limitation and Evaluation
We use FTK to get swap file image. If tool
able to acquire image then our technique is a From literature review, we found that most of
failure. anti-forensics techniques suffer from live acquisi-
3) Platform: Linux 17 Rosa and AMD x86_64. tion technique attack (except data prevention tech-
nique). In data prevention technique, OS do not
IV. R ESULT AND D ISCUSSION create swap file at all. This technique is safest and
A. Inject Swap File easiest as anti-forensics.
In our experiment we use single target filled with Important point for our techniques is these tech-
many fake artefacts. This approach has drawback niques is performed after start up (before user
that is: fake artefacts tend to cluster in one area. doing his/her usual activity). By flooding or faking
Ideally we must use multiple targets. If we use swap file, we create new swap file filled with fake
multiple targets then we expect that fake artefacts (and misleading) artefacts. When user begins his/her
will be scatter around swap file. activities, system will use our fake swap file. As
We successfully swapping process in memory user activities increase, legitimate artefacts will fill
to swap file. Our target is process with pattern swap file along with fake one. If examiner able to
of 0xdeadbeef. After running swapforcer, we use get swap file image, legitimate and fake artefacts
FTK to get swap image then examine swap file will be in the acquired image. Increase signal to
using xxd, page brute and rekall. Notice that pattern noise ratio and increase examiner efforts.
had become "efbe adde" because of endianness (see First limitation of this approach is when user
figure 4). using up all swap file. Fake artefacts will be

978-1-4673-9791-9/16/$31.00 ©2016 IEEE 78

The 2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast)

overwritten by new incoming swap file. Then, all [4] K. Dahbur and B. Mohammad, “The anti-forensics chal-
artefacts in the swap file are legitimate artefacts. lenge,” Proceedings of the 2011 International Conference
on Intelligent Semantic Web-Services and Applications
Our two approaches do not solve the problem of - ISWSA ’11, pp. 1–7, 2011. [Online]. Available:
live acquisition. Our approach will increasing time http://dl.acm.org/citation.cfm?id=1980822.1980836
for examiner to handle the case, which is still goal [5] S. L. Garfinkel, “Anti-Forensic Techniques,” 2015.
[Online]. Available: http://www.forensicswiki.org/wiki/
of anti-forensics. Anti-forensic{\_}techniques
Evaluation of our techniques as follow: [6] T. Müller, F. C. Freiling, and A. Dewald, “TRESOR
runs encryption securely outside RAM,” Proceeding
Advantages: Fake artefacts or fake swap file SEC’11 Proceedings of the 20th USENIX conference
eventually recognizable by experts but it will on Security, p. 17, 2011. [Online]. Available: http:
increase examiner time to perform analyses. //dl.acm.org/citation.cfm?id=2028067.2028084
[7] P. A. H. Peterson, “Cryptkeeper: Improving security with
Casting doubt on results. encrypted RAM,” in 2010 IEEE International Conference
Disadvantages: Difficulty to create believable fake on Technologies for Homeland Security, HST 2010, 2010,
artefacts. We still developing technique to make pp. 120–126.
[8] B. Albelooshi, K. Salah, T. Marin, and A. Bentiba, “Assess-
fake artefacts believable. ing Overhead Cost Associated with Encrypting Swap File,”
Vulnerability: Possibility of data leak. If we do in IEEE 11th International Conference on Trust, Security
not careful when creating fake artefacts, data leak and Privacy in Computing and Communications, 2012.
[9] T. Haruyama and H. Suzuki, “One-byte modification for
will occurs. Still vulnerable to live acquisition. breaking memory forensic analysis.” Blackhat Europe,
Like many anti-forensics techniques our proposed 2012.
techniques still can not defeat live acquisition. [10] M. Gruhn, “Windows nt pagefile. sys virtual memory anal-
ysis,” in IT Security Incident Management & IT Forensics
Complexity: User create own program, script and (IMF), 2015 Ninth International Conference on. IEEE,
prepare fake artefacts. 2015, pp. 3–18.
[11] M. Cohen, “Windows Virtual Address Translation and
the Pagefile,” 2014. [Online]. Available: http://www.
rekall-forensic.com/posts/2014-10-25-pagefile.html
V. C ONCLUSION [12] J. Stüttgen and M. Cohen, “Anti-forensic resilient
memory acquisition,” Digital Investigation, vol. 10, no.
We made list of anti-forensics techniques for SUPPL., pp. S105–S115, 2013. [Online]. Available:
http://dx.doi.org/10.1016/j.diin.2013.06.012
swap file, its advantages and disadvantages, vul-
nerability, data leak and complexity. We found that
most of anti-forensics techniques are still vulnerable
to live acquisition We successfully implementing 2
simple anti-forensics techniques. Inject live swap
file is created by injecting(flooding) fake data to live
swap file using a custom script. Fake swap is created
by manipulate swap file header then filling swap file
with fake artefacts of our choosing. Our method is
still very simple and need further improvement.

R EFERENCES
[1] W. Stallings, Operating Systems: Internals and Design
Principles (7th Edition). Prentice Hall, 2011, vol. 68.
[2] G. G. Richard and A. Case, “In lieu of swap :
Analyzing compressed RAM in Mac OS X and Linux,”
Digital Investigation, vol. 11, pp. S3–S12, 2014. [Online].
Available: http://dx.doi.org/10.1016/j.diin.2014.05.011
[3] S. L. Garfinkel, “Digital media triage with bulk data
analysis and bulk-extractor,” Computers and Security,
vol. 32, pp. 56–72, 2013. [Online]. Available: http:
//dx.doi.org/10.1016/j.cose.2012.09.011

978-1-4673-9791-9/16/$31.00 ©2016 IEEE 79