Investigating the PROCESS block for memory analysis

Authors:
Khairul Akram Zainol Ariffin;Ahmad Kamil Mahmood;Jafreezal Jaafar
Affiliations:
Computer Information Science, Universiti Teknologi Petronas, Perak, Malaysia;Computer Information Science, Universiti Teknologi Petronas, Perak, Malaysia;Computer Information Science, Universiti Teknologi Petronas, Perak, Malaysia
Venue:
ACS'11 Proceedings of the 11th WSEAS international conference on Applied computer science
Year:
2011

Citing 12
Cited 0

Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer)

Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer)
Data lifetime is a systems problem

Proceedings of the 11th workshop on ACM SIGOPS European workshop
A proposal for an integrated memory acquisition mechanism

ACM SIGOPS Operating Systems Review
Operating Systems

Operating Systems
Windows Memory Analysis Based on KPCR

IAS '09 Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 02
Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition

Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition
Using every part of the buffalo in Windows memory analysis

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Forensic memory analysis: Files mapped in memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
The VAD tree: A process-eye view of physical memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Extraction of forensically sensitive information from windows physical memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps

Digital Investigation: The International Journal of Digital Forensics & Incident Response
A hardware-based memory acquisition procedure for digital investigations

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Quantified Score

Hi-index	0.00

Visualization

Abstract

Over the past few years, memory analysis has been an issue that has been discussed in digital forensics. A number of tools have been released that focus on memory acquisition of Windows system. However, the implementation of memory analysis is still limited as it encounters a lot of difficulties. The aim of this paper is to outline one of the difficulties with regards to the structure of EPROCESS block. It will discuss about the differences in offset between Windows 2000 and Window XP. Further, the important of internal structures in EPROCESS block will be identified as they play an important role in the analysis and theory reconstruction for forensic investigation. Nevertheless, an address translation for x86 platforms will be demonstrated in this paper. Hence, the limitation of the address translation algorithm will also been discussed and identified.