IMF 2006 Paper

My paper for the IMF 2006 conference in Stuttgart has been accepted. It is entitled Pool Allocations as an Information Source in Windows Memory Forensics.

In contrast to my DFRWS paper which deals with high-level structures like EPROCESS, ETHREAD and the OBJECT_HEADER, I will discuss a low-level structure of the kernel's memory manager, the POOL_HEADER. From the preliminary abstract:

The Microsoft Windows Kernel provides a set of functions which implement a heap-like memory management, called "pools". Whenever some kernel-mode code requires a small amount of memory, it is allocated from a pool. Ignoring the documented interface and searching the whole dump of physical memory for signatures of pool allocations allows the forensic examiner to gain information not only from current but also from freed and not yet overwritten allocations. Understanding the inner mechanics of memory pools enables an examiner to attribute certain finds in memory to the originating piece of code.

10/29/2006: The slides from IMF 2006 are now available.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12