January 2007 Archives

How trustworthy is hardware-based memory acquisition?

By Andreas Schuster on January 21, 2007 8:10 PM

We know that a memory image obtained through a software-based method must be taken with a grain of salt. Rootkits like Shadow Walker could interfer with memory management, thus shaping a forensic examiner's view of memory. But hardware-based acquisition methods can be trusted, can't they? "No" says Joanna Rutkowska in a blog post.

Continue reading How trustworthy is hardware-based memory acquisition?.

_ETHREAD version 6.0.6000.16386

By Andreas Schuster on January 9, 2007 10:22 PM

This article provides a listing of the _ETHREAD structure of Microsoft Windows Vista RTM (Release To Manufacturing). All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 6.0.6000.16386.

Continue reading _ETHREAD version 6.0.6000.16386.

_EPROCESS version 6.0.6000.16386

By Andreas Schuster on January 9, 2007 10:15 PM

This article provides a listing of the _EPROCESS structure of Microsoft Windows Vista RTM (Release To Manufacturing). All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 6.0.6000.16386.

Continue reading _EPROCESS version 6.0.6000.16386.
« December 2006 | Main Index | Archives | February 2007 »

Search

Deutsch

Deutschsprachige Ausgabe

Recent Entries

Tag Cloud

Categories

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12