In contrast to my DFRWS paper which deals with high-level structures like EPROCESS, ETHREAD and the OBJECT_HEADER, I will discuss a low-level structure of the kernel's memory manager, the POOL_HEADER. From the preliminary abstract:
The Microsoft Windows Kernel provides a set of functions which implement a heap-like memory management, called "pools". Whenever some kernel-mode code requires a small amount of memory, it is allocated from a pool. Ignoring the documented interface and searching the whole dump of physical memory for signatures of pool allocations allows the forensic examiner to gain information not only from current but also from freed and not yet overwritten allocations. Understanding the inner mechanics of memory pools enables an examiner to attribute certain finds in memory to the originating piece of code.
10/29/2006: The slides from IMF 2006 are now available.