Windows Operating Systems Agnostic Memory Analysis

Document Type

Article

Publication Date

8-2010

Abstract

Memory analysis is an integral part of any computer forensic investigation, providing access to volatile data not found on a drive image. While memory analysis has recently made significant progress, it is still hampered by hard-coded tools that cannot generalize beyond the specific operating system and version they were developed for. This paper proposes using the debug structures embedded in memory dumps and Microsoft’s program database (PDB) files to create a flexible tool that takes an arbitrary memory dump from any of the family of Windows NT operating systems and extract process, configuration, and network activity information. The debug structures and PDB files are incorporated into a memory analysis tool and tested against dumps from 32-bit Windows XP with physical address extensions (PAE) enabled and disabled, 32-bit Windows Vista with PAE enabled, and 64-bit Windows 7 systems. The results show the analysis tool is able to identify and parse an arbitrary memory dump and extract process, registry, and network communication information.

Comments

The "Link to Full Text" on this page loads the full text of the open access article hosted at the publisher website. A PDF is available on that page.

This is an Open Access article distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivatives License, which permits non-commercial re-use, distribution, and reproduction in any medium, provided the original work is properly cited, and is not altered, transformed, or built upon in any way. CC BY-NC-ND 4.0

Copyright statement on article: © 2010 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved.

DOI

10.1016/j.diin.2010.05.007

Source Publication

Digital Investigation

Link to Full Text

Share

COinS