Pool Allocations as an Information Source in Windows Memory Forensics
dc.contributor.author | Schuster, Andreas | |
dc.contributor.editor | Göbel, Oliver | |
dc.contributor.editor | Schadt, Dirk | |
dc.contributor.editor | Frings, Sandra | |
dc.contributor.editor | Hase, Hardo | |
dc.contributor.editor | Günther, Detlef | |
dc.contributor.editor | Nedon, Jens | |
dc.date.accessioned | 2019-06-04T08:24:21Z | |
dc.date.available | 2019-06-04T08:24:21Z | |
dc.date.issued | 2006 | |
dc.description.abstract | The Microsoft Windows kernel provides a heap-like memory management, called "pools". Whenever some kernel-mode code requires an amount of memory, it is allocated from a pool. Ignoring the documented interface and searching the whole dump of physical memory for signatures of pool allocations allows the forensic examiner to gain information not only from currently active but also from freed and not yet overwritten allocations. Understanding the inner mechanics of memory pools enables an examiner to connect certain finds in memory to the originating piece of code. As an example this articles describes the steps necessary to detect traces of network activity in a memory dump. | en |
dc.identifier.isbn | 978-3-88579-191-1 | |
dc.identifier.pissn | 1617-5468 | |
dc.identifier.uri | https://dl.gi.de/handle/20.500.12116/23465 | |
dc.language.iso | en | |
dc.publisher | Gesellschaft für Informatik e. V. | |
dc.relation.ispartof | IT-Incident Management & IT-Forensics - IMF 2006 | |
dc.relation.ispartofseries | Lecture Notes in Informatics (LNI) - Proceedings, Volume P-97 | |
dc.title | Pool Allocations as an Information Source in Windows Memory Forensics | en |
dc.type | Text/Conference Paper | |
gi.citation.endPage | 115 | |
gi.citation.publisherPlace | Bonn | |
gi.citation.startPage | 104 | |
gi.conference.date | October, 18th - 19th, 2006 | |
gi.conference.location | Stuttgart | |
gi.conference.sessiontitle | Regular Research Papers |
Dateien
Originalbündel
1 - 1 von 1