« November 2005 | Main | February 2006 »
Memory analysis
(Dieser Artikel ist auch auf Deutsch verfügbar.)
The Windows kernel creates a distinct object for every process and every thread in its memory. It is possible to extract these blocks of data from memory images. At this even the remnants of terminated processes and threads can be found. Among their status information there are several timestamps.
Memory analysis
This article provides a listing of the _ETHREAD structure of Microsoft Windows 2000. All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 5.0.2195.7045. Knowledge about this structure could be helpful when analysing a memory dump.
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.