Konferenzbeitrag
Pool Allocations as an Information Source in Windows Memory Forensics
Lade...
Volltext URI
Dokumententyp
Text/Conference Paper
Dateien
Zusatzinformation
Datum
2006
Autor:innen
Zeitschriftentitel
ISSN der Zeitschrift
Bandtitel
Verlag
Gesellschaft für Informatik e. V.
Zusammenfassung
The Microsoft Windows kernel provides a heap-like memory management, called "pools". Whenever some kernel-mode code requires an amount of memory, it is allocated from a pool. Ignoring the documented interface and searching the whole dump of physical memory for signatures of pool allocations allows the forensic examiner to gain information not only from currently active but also from freed and not yet overwritten allocations. Understanding the inner mechanics of memory pools enables an examiner to connect certain finds in memory to the originating piece of code. As an example this articles describes the steps necessary to detect traces of network activity in a memory dump.