View Swap File Contents

Question

Level 1

5 points

View Swap File Contents

How can I view the contents of a swap file (e.g. swapfile0)? I know I can use the grep to serach for strings, but I would like to copy, then open the entire swapfile for analysis; anyone tried/know how?
I am doing research for live forensic response, and would like to document what info I can pull off a running mac.

MacBookPro, Mac OS X (10.4.10)

Posted on Aug 5, 2007 12:17 PM

Reply

Answer 1

Niel

Level 10

741,857 points

Aug 5, 2007 7:31 PM in response to Curly15

Drag the swapfile to the desktop, and provide your administrator password when prompted; they can be accessed by choosing Go to Folder from the Finder's Go menu and entering /private/var/vm/ as the folder's path.

(23457)

Reply

Answer 2

Curly15 Author

Level 1

5 points

Aug 6, 2007 10:41 AM in response to Niel

Niel,
Thanks for the response.
I am able to easily copy and move the file via finder or the terminal window, but how can I view the contents?
When I try viewing with textedit all I see is "????????????????????????" on every line. I can still use 'grep' on the file to search for strings, but I would like to peruse the file for content or strings that cannot be easily predefined.
Any additional thoughts?

Reply

Answer 3

Zerwas

Level 4

1,154 points

Aug 6, 2007 12:22 PM in response to Curly15

You can use the command strings. With the syntax "sudo strings swapfile0 > ~/Desktop/file.txt" you can create an outputfile with the content of these swapfile.

Reply

Answer 4

Curly15 Author

Level 1

5 points

Aug 6, 2007 3:02 PM in response to Zerwas

Thank you very much. That was exactly what I was after.
Problem solved.

Cheers.

Reply