int for(ensic){blog;}

A new option in PTfinder version 0.2.02 controls the alignment factor. When searching a Windows 2000 image for processes and threads this doubles the speed!

By Andreas Schuster at 03/25/2006, 11:20 PM | Permalink

Due to popular demand I've released templates to parse DMP files with WinHex and 010 Editor.

By Andreas Schuster at 03/23/2006, 07:10 PM | Permalink

Accidentally I came upon three patents which are mainly related to debugging techniques, but might also affect the development of forensic memory analysis tools.

By Andreas Schuster at 03/21/2006, 12:00 PM | Permalink

Microsoft's debuggers and the NT kernel's crashdump facility generate memory images in a proprietary yet useful format. This article provides you with some internals about the file format and explains how to find a given physical address in the memory image.

By Andreas Schuster at 03/19/2006, 05:00 PM | Permalink

PTfinder relies on some internal structures and magic numbers of the NT kernel to find traces of processes and threads. My proof-of-concept implementation only works on Microsoft Windows 2000. In this article I'll give the full set of parameters needed to adapt PTfinder to other versions up to Vista.

By Andreas Schuster at 03/18/2006, 03:00 PM | Permalink

Converting a virtual into a physical address manually is a dull and error-prone task. To make things a bit easier I drafted a template for Sweetscape's 010 Editor.

By Andreas Schuster at 03/14/2006, 08:30 AM | Permalink

While analyzing a memory dump, sooner or later you'll have to convert a virtual into a physical address. This can be a challenging task when it's done for the first time. This article will guide you through the process.

By Andreas Schuster at 03/11/2006, 08:35 PM | Permalink

I already described how to search for processes and threads - but I still didn't explain why I think this is necessary. In this article I will summarize the state-of-the-art in Windows memory analysis and propose an improvement based on searching.

By Andreas Schuster at 03/06/2006, 09:30 PM | Permalink

Eric Fitz took the trouble to search the Windows sources for default access control lists of the various event logs. He posted his findings for Windows 2000, XP with Service Pack 2 and Windows Server 2003 in the Windows Auditing Team's blog.

By Andreas Schuster at 03/05/2006, 04:10 PM | Permalink

Searching for highly variable structures like processes and threads is a difficult task. The set of criteria must be carefully chosen. On one hand it should limit the amount of false-positives to a minimum while on the other hand it must not wrongly exclude valid objects from the result. This article documents the set of criteria I have implemented in PTfinder v0.2.00.

By Andreas Schuster at 03/05/2006, 03:55 PM | Permalink

Today I presented my paper about Microsoft Windows memory analysis at the 13th DFN-Workshop. I mainly talked about the search algorithm for processes and threads I described earlier in this blog. I'm excited to release a proof of concept implementation in Perl to the public: you're welcome to download it now!

By Andreas Schuster at 03/02/2006, 02:15 PM | Permalink