Undocumented Windows NT
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Automated Windows Memory File Extraction for Cyber Forensics Investigation
Journal of Digital Forensic Practice
Forenscope: a framework for live forensics
Proceedings of the 26th Annual Computer Security Applications Conference
Investigating the PROCESS block for memory analysis
ACS'11 Proceedings of the 11th WSEAS international conference on Applied computer science
Forensic analysis of the Windows registry in memory
Digital Investigation: The International Journal of Digital Forensics & Incident Response
FACE: Automated digital evidence discovery and correlation
Digital Investigation: The International Journal of Digital Forensics & Incident Response
A survey of main memory acquisition and analysis techniques for the windows operating system
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Treasure and tragedy in kmem_cache mining for live forensics investigation
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks
Hi-index | 0.00 |
This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.