The VAD tree: A process-eye view of physical memory

DFRWS 2007 Annual Conference

Volumn , Issue , 2007, Pages

  Dolan Gavitt, Brendan ^a  

^a MITRE CORPORATION   (United States)

Author keywords

Anti forensics; Digital forensics; Microsoft Windows; Virtual Address Descriptors; Volatile memory

Indexed keywords

ANTI-FORENSICS; DESCRIPTORS; DIGITAL FORENSIC; MICROSOFT WINDOWS; VOLATILE MEMORY;

ELECTRONIC CRIME COUNTERMEASURES; FORESTRY;

TREES (MATHEMATICS);

EID: 84868338713     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1016/j.diin.2007.06.008     Document Type: Conference Paper

References (15)

1. Betz C. DFRWS 2005 forensic challenge answers, 〈http://www.dfrws. org/2005/challenge/ChrisBetz-DFRWSChallengeOverview.html〉.
2. Dabak P, Phadke S, Borate M. Undocumented Windows NT. New York, NY, USA: John Wiley & Sons, Inc., ISBN 0764545698; 1999.
3. Graphviz, 〈http://www.graphviz.org/〉.
4. Garner Jr GM, Mora R-J. DFRWS 2005 forensic challenge answers, 〈http://www.dfrws.org/2005/challenge/RossettoeCioccolato-Responses. pdf〉.
5. Intel-Corporation. Intel-64 and IA-32 architectures software developer's manual. Santa Clara, CA, USA: Intel-Corporation, 〈http://www.intel.com/ products/processor/manuals/index.htm〉; 2006.
6. Kdm. NTIllusion: a portable Win32 userland rootkit. Phrack July 2004;11(62).
7. Kornblum J. Using every part of the buffalo in Windows memory analysis. Digit Investig J, 〈http://jessekornblum.com/research/papers/buffalo. pdf〉 March 2007.
8. Petroni Jr NL, Walters A, Fraser T, Arbaugh WA. FATKit: a framework for the extraction and analysis of digital forensic data from volatile system memory. Digit Investig December 2006;3(4).
9. Russinovich ME, Solomon DA. Microsoft Windows internals, Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer). 4th ed. Redmond, WA, USA: Microsoft Press, ISBN 0735619174; 2004.
10. Schuster A. Searching for processes and threads in Microsoft Windows memory dumps. In: Proceedings of the sixth annual digital forensic research workshop (DFRWS 2006); 2006a. 〈http://www.dfrws.org/2006/proceedings/2- Schuster.pdf〉.
11. Schuster A. Pool allocations as an information source in Windows memory forensics. In: Third international conference on ITincident management & IT-forensics; October 2006b.
12. Schuster A. EPROCESS version 6.0.6000.16386, 〈http://computer. forensikblog.de/en/2007/01/eprocess-6-0-6000-16386.html〉; January 2007.
13. The FTimes project, 〈http://ftimes.sourceforge.net/FTimes/index. shtml〉.
14. Walters A. FATKit: Detecting malicious library injection and upping the "anti". Technical report. 4TF Research Laboratories; July 2006.
15. Walters A, Petroni Jr NL. Volatools: integrating volatile memory forensics into the digital investigation process. In: Black Hat DC 2007; 2007.