Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer)
Data lifetime is a systems problem
Proceedings of the 11th workshop on ACM SIGOPS European workshop
A proposal for an integrated memory acquisition mechanism
ACM SIGOPS Operating Systems Review
Operating Systems
Windows Memory Analysis Based on KPCR
IAS '09 Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 02
Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition
Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition
Using every part of the buffalo in Windows memory analysis
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Forensic memory analysis: Files mapped in memory
Digital Investigation: The International Journal of Digital Forensics & Incident Response
The VAD tree: A process-eye view of physical memory
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Extraction of forensically sensitive information from windows physical memory
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps
Digital Investigation: The International Journal of Digital Forensics & Incident Response
A hardware-based memory acquisition procedure for digital investigations
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-index | 0.00 |
Over the past few years, memory analysis has been an issue that has been discussed in digital forensics. A number of tools have been released that focus on memory acquisition of Windows system. However, the implementation of memory analysis is still limited as it encounters a lot of difficulties. The aim of this paper is to outline one of the difficulties with regards to the structure of EPROCESS block. It will discuss about the differences in offset between Windows 2000 and Window XP. Further, the important of internal structures in EPROCESS block will be identified as they play an important role in the analysis and theory reconstruction for forensic investigation. Nevertheless, an address translation for x86 platforms will be demonstrated in this paper. Hence, the limitation of the address translation algorithm will also been discussed and identified.