Schuster, AndreasGöbel, OliverSchadt, DirkFrings, SandraHase, HardoGünther, DetlefNedon, Jens2019-06-042019-06-042006978-3-88579-191-1https://dl.gi.de/handle/20.500.12116/23465The Microsoft Windows kernel provides a heap-like memory management, called "pools". Whenever some kernel-mode code requires an amount of memory, it is allocated from a pool. Ignoring the documented interface and searching the whole dump of physical memory for signatures of pool allocations allows the forensic examiner to gain information not only from currently active but also from freed and not yet overwritten allocations. Understanding the inner mechanics of memory pools enables an examiner to connect certain finds in memory to the originating piece of code. As an example this articles describes the steps necessary to detect traces of network activity in a memory dump.enText/Conference Paper1617-5468