Tcpxtract is a carver for network traffic, which means it extracts files out of captured data. In order to determine start and end positions of a file it searches for certain byte sequences. This procedure was inspired by foremost, a carver for filesystem data.
This article provides a listing of the _EPROCESS structure of Microsoft Windows 2000, Service Pack 4. All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 5.0.2195.7045. Knowledge of this structure could be helpful when analysing a memory dump.
A crash dump is suitable to generate a forensic image of the physical memory. However this requires some preparatory work.
Conservation of volatile data is one of the most challenging tasks in computer forensics. In the Microsoft Windows environment, dd provides a convenient way to copy the memory into a file. There's only one flaw: it won't work from Windows Server 2003 SP 1 onwards.
