Using every part of the buffalo in Windows memory analysis

Authors:
Jesse D. Kornblum
Affiliations:
Principal Computer Forensics Engineer, ManTech SMA, 6700 Alexander Bell Dr Suite 400, Columbia, MD 21046, United States
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2007

Citing 3
Cited 11

Windows 2000 registry

Windows 2000 registry
FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps

Digital Investigation: The International Journal of Digital Forensics & Incident Response

A proposal for an integrated memory acquisition mechanism

ACM SIGOPS Operating Systems Review
Automated Windows Memory File Extraction for Cyber Forensics Investigation

Journal of Digital Forensic Practice
External monitoring of endpoint configuration compliance

Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Attribution of malicious behavior

ICISS'10 Proceedings of the 6th international conference on Information systems security
Investigating the PROCESS block for memory analysis

ACS'11 Proceedings of the 11th WSEAS international conference on Applied computer science
Forensic memory analysis: Files mapped in memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
A survey of main memory acquisition and analysis techniques for the windows operating system

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Dynamic recreation of kernel data structures for live forensics

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Locating ×86 paging structures in memory images

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Blacksheep: detecting compromised hosts in homogeneous crowds

Proceedings of the 2012 ACM conference on Computer and communications security
A partially reconstructed previous Gmail session by live digital evidences investigation through volatile data acquisition

Security and Communication Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

All Windows memory analysis techniques depend on the examiner's ability to translate the virtual addresses used by programs and operating system components into the true locations of data in a memory image. In some memory images up to 20% of all the virtual addresses in use point to so called ''invalid'' pages that cannot be found using a naive method for address translation. This paper explains virtual address translation, enumerates the different states of invalid memory pages, and presents a more robust strategy for address translation. This new method incorporates invalid pages and even the paging file to greatly increase the completeness of the analysis. By using every available page, every part of the buffalo as it were, the examiner can better recreate the state of the machine as it existed at the time of imaging.