Windows 2000 registry
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps
Digital Investigation: The International Journal of Digital Forensics & Incident Response
A proposal for an integrated memory acquisition mechanism
ACM SIGOPS Operating Systems Review
Automated Windows Memory File Extraction for Cyber Forensics Investigation
Journal of Digital Forensic Practice
External monitoring of endpoint configuration compliance
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Attribution of malicious behavior
ICISS'10 Proceedings of the 6th international conference on Information systems security
Investigating the PROCESS block for memory analysis
ACS'11 Proceedings of the 11th WSEAS international conference on Applied computer science
Forensic memory analysis: Files mapped in memory
Digital Investigation: The International Journal of Digital Forensics & Incident Response
A survey of main memory acquisition and analysis techniques for the windows operating system
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Dynamic recreation of kernel data structures for live forensics
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Locating ×86 paging structures in memory images
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Blacksheep: detecting compromised hosts in homogeneous crowds
Proceedings of the 2012 ACM conference on Computer and communications security
Security and Communication Networks
Hi-index | 0.00 |
All Windows memory analysis techniques depend on the examiner's ability to translate the virtual addresses used by programs and operating system components into the true locations of data in a memory image. In some memory images up to 20% of all the virtual addresses in use point to so called ''invalid'' pages that cannot be found using a naive method for address translation. This paper explains virtual address translation, enumerates the different states of invalid memory pages, and presents a more robust strategy for address translation. This new method incorporates invalid pages and even the paging file to greatly increase the completeness of the analysis. By using every available page, every part of the buffalo as it were, the examiner can better recreate the state of the machine as it existed at the time of imaging.