Swap file may contain sensitive data

Yes, swap files can contain sensitive data.

On Windows you can configure the page file (swap file) to be cleared at shutdown this way:

  1. Start regedit32.exe
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  3. Set the data value of ClearPageFileAtShutdown to 1
  4. If the value does not exist, create it with the type REG_DWORD and set it to 1
  5. Restart

I don't know for sure if this is a secure deletion of the swap data, but from the fact that it adds minutes to the shutdown process and from the text on Microsoft page about ClearPageFileAtShutdown:

Some third-party programs can temporarily store unencrypted (plain-text) passwords or other sensitive information in memory. Although clearing the paging file is not a suitable substitute for physical security of a computer, you might want to do this to increase the security of data on a computer while Windows is not running. "

I would think the data is securely wiped.

On Linux you can manually wipe the swap partition:

  1. Display swap details: swapon -s
  2. Unmount the swap partition: swapoff -a
  3. Overwrite it with zeros: dd if=/dev/zero of=/dev/sdaX bs=1024
  4. Get the UUID of your old swap partition from /etc/fstab
  5. Create a new swap partition with that UUID: mkswap /dev/sdaX -U <old_uuid> 1024
  6. Mount it for usage: swapon -a

Better wiping tools are provided by the Secure-Delete package which comes with the following commands:

  • srm (Secure remove) – used for deleting files or directories currently on your hard disk.
  • smem (Secure memory wiper) – used to wipe traces of data from your computer’s memory (RAM).
  • sfill (Secure free space wiper) – used to wipe all traces of data from the free space on your disk.
  • sswap (Secure swap wiper) – used to wipe all traces of data from your swap partition.

Sswap is designed to delete data which may lie still on your swapspace in a secure manner which can not be recovered by thiefs, law enforcement or other threats.The wipe algorithm is based on the paper “Secure Deletion of Data from Magnetic and Solid-State Memory” presented at the 6th Usenix Security Symposium by Peter Gutmann, one of the leading civilian cryptographers.


Is it possible that the swap file will contain chunks of data by a file you have accessed, and could this be detected during a forensics analysis?

Yes, it is. Moreover, you may be able to read some passwords, encryption keys and other sensitive/private data.

How could you prevent this situation ?

You can disallow memory swapping for particular virtual address space in a process by using some OS-specific calls:

  • Unix-based OS
    • MLOCK
  • Windows
    • VirtualLock

Other modern operating systems will provide similar functionality. However, data is not generally removed from physical memory (such as RAM) when you shutdown your PC, and it still could be retrieved using a cold-boot attack.


Using Linux, you could ensure that sensible tools like PGP won't be swapped, by using protected memory.

But you have to configure you pre-hibernation script to kill all such sensible tools and umount all crypted filesystems!

Tags:

Data Leakage

Recent Posts