« December 2006 | Main | February 2007 »

Memory analysis

How trustworthy is hardware-based memory acquisition?

We know that a memory image obtained through a software-based method must be taken with a grain of salt. Rootkits like Shadow Walker could interfer with memory management, thus shaping a forensic examiner's view of memory. But hardware-based acquisition methods can be trusted, can't they? "No" says Joanna Rutkowska in a blog post.

(more...)

By Andreas Schuster at 01/21/2007, 08:10 PM |

Memory analysis

_ETHREAD version 6.0.6000.16386

This article provides a listing of the _ETHREAD structure of Microsoft Windows Vista RTM (Release To Manufacturing). All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 6.0.6000.16386.

(more...)

By Andreas Schuster at 01/09/2007, 10:22 PM |

Memory analysis

_EPROCESS version 6.0.6000.16386

This article provides a listing of the _EPROCESS structure of Microsoft Windows Vista RTM (Release To Manufacturing). All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 6.0.6000.16386.

(more...)

By Andreas Schuster at 01/09/2007, 10:15 PM |