Today IMF 2006 starts - and I'm excited to announce the public release of a new tool named PoolFinder. PoolFinder accompanies my paper Pool Allocations as an Information Source in Windows Memory Forensics which I will present at IMF.
PoolFinder conducts a brute-force scan of a Windows memory dump or page file (pagefile.sys) and attempts to identify pool allocations. The identification process is merely based on the 8 bytes and the proper chaining of allocations. Depending on the set of options chosen by the user PoolFinder may produce a significant amount of either false-negatives or false-positives. Defaults are set to produce an uncluttered listing but are likely to miss some pages full of data.
PoolFinder is written in Perl, so you need a Perl interpreter to run it. It was tested with ActiveState Perl version 5.8.8 on Microsoft Windows XP. The tool is capable of analyzing dumps obtained from Windows 2000 up to Vista. Dumps may be in a raw or the Microsoft crash dump format.
The latest version of PoolFinder is available at http://computer.forensikblog.de/files/poolfinder/poolfinder-current.zip.