PoolFinder Version 1.0.0 Released

| 5 Comments

Today IMF 2006 starts - and I'm excited to announce the public release of a new tool named PoolFinder. PoolFinder accompanies my paper Pool Allocations as an Information Source in Windows Memory Forensics which I will present at IMF.

PoolFinder conducts a brute-force scan of a Windows memory dump or page file (pagefile.sys) and attempts to identify pool allocations. The identification process is merely based on the 8 bytes and the proper chaining of allocations. Depending on the set of options chosen by the user PoolFinder may produce a significant amount of either false-negatives or false-positives. Defaults are set to produce an uncluttered listing but are likely to miss some pages full of data.

PoolFinder is written in Perl, so you need a Perl interpreter to run it. It was tested with ActiveState Perl version 5.8.8 on Microsoft Windows XP. The tool is capable of analyzing dumps obtained from Windows 2000 up to Vista. Dumps may be in a raw or the Microsoft crash dump format.

The latest version of PoolFinder is available at http://computer.forensikblog.de/files/poolfinder/poolfinder-current.zip.

5 Comments

Andreas,

Very cool, and very useful.

Any thoughts on how this data can best be used by forensic analysts, and how to decode/interpret the data that is found?

H

Harlan,

PoolFinder shows you where the data is - not how to interpret it. That's a different (and cumbersome) process. I posted an example in an earlier article. I used an early version of PoolFinder to locate the TCP address objects (which are tagged with "TCPA").

Andreas

Right, I understand that...but is there a way that we can map those structures, based on the OS version? You did it with Win2K and TCPA...can we (as a community) map those other structures?

I found about 1,300 distinct pool tags in a dump of one of the latest Vista builds. So I wouldn't recommend to chose a bottom-up approach here.

How about defining a set of "interesting" information at first, then looking for proper pool tags (if there are any), and decompiling the data format at last?

As for the last step I'm still thinking about some IDA Pro scripts or plug-ins.

Andreas,

My thoughts exactly. I have no alusions about the enormity of decoding all pool tags...I'd only like to focus on "interesting" ones; network connections, contents of the clipboard, etc. Decoding will take some work. After you and I emailed about your success with finding the format for network connections on 2000, I tried something similar w/ XP and didn't have that kind of luck.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12