Logo des Repositoriums
 

Pool Allocations as an Information Source in Windows Memory Forensics

dc.contributor.authorSchuster, Andreas
dc.contributor.editorGöbel, Oliver
dc.contributor.editorSchadt, Dirk
dc.contributor.editorFrings, Sandra
dc.contributor.editorHase, Hardo
dc.contributor.editorGünther, Detlef
dc.contributor.editorNedon, Jens
dc.date.accessioned2019-06-04T08:24:21Z
dc.date.available2019-06-04T08:24:21Z
dc.date.issued2006
dc.description.abstractThe Microsoft Windows kernel provides a heap-like memory management, called "pools". Whenever some kernel-mode code requires an amount of memory, it is allocated from a pool. Ignoring the documented interface and searching the whole dump of physical memory for signatures of pool allocations allows the forensic examiner to gain information not only from currently active but also from freed and not yet overwritten allocations. Understanding the inner mechanics of memory pools enables an examiner to connect certain finds in memory to the originating piece of code. As an example this articles describes the steps necessary to detect traces of network activity in a memory dump.en
dc.identifier.isbn978-3-88579-191-1
dc.identifier.pissn1617-5468
dc.identifier.urihttps://dl.gi.de/handle/20.500.12116/23465
dc.language.isoen
dc.publisherGesellschaft für Informatik e. V.
dc.relation.ispartofIT-Incident Management & IT-Forensics - IMF 2006
dc.relation.ispartofseriesLecture Notes in Informatics (LNI) - Proceedings, Volume P-97
dc.titlePool Allocations as an Information Source in Windows Memory Forensicsen
dc.typeText/Conference Paper
gi.citation.endPage115
gi.citation.publisherPlaceBonn
gi.citation.startPage104
gi.conference.dateOctober, 18th - 19th, 2006
gi.conference.locationStuttgart
gi.conference.sessiontitleRegular Research Papers

Dateien

Originalbündel
1 - 1 von 1
Lade...
Vorschaubild
Name:
104.pdf
Größe:
169.51 KB
Format:
Adobe Portable Document Format