PTFinder for Windows Vista

Several people requested an update of PTFinder for the Microsoft Windows Vista platform. The changes to support kernel version 6.0.6000.16386 were not trivial. I've added a BETA version to the PTFinder Collection.

There's an experimental option, --pool, that enables a check of the POOL_HEADER structure. While this check slightly reduces the number of false positives, it may exclude some traces of defunct processes, too. Therefore this option is turned off by default.

Thanks go to Umang Desai (Georgia Institute of Technology) for extensive testing. The Vista version is still in BETA and needs more testing, though. I welcome any feedback from the community.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12