Today I presented my paper about Microsoft Windows memory analysis at the 13th DFN-Workshop. I mainly talked about the search algorithm for processes and threads I described earlier in this blog. I'm excited to release a proof of concept implementation in Perl to the public: you're welcome to download it now!
Category "Memory analysis"
In an earlier article I discussed timestamps in thread and process objects. In this post I'll show how this information can be used to narrow in on the time a certain routine was executed at.
Continue reading Dating the execution of certain routines.
To search memory images for processes and threads I resort on a structure named _DISPATCHER_HEADER. This article provides you with a summary of the relevant information.
Continue reading _DISPATCHER_HEADER.
During the last weeks I've documented _EPROCESS and _ETHREAD structures for several versions of Microsoft Windows in the main (that is German) section of this blog. The declarations are in English anyway. I'd like to avoid duplicating those long lists here for several reasons, penalties by search engines among them. This post will guide you to the relevant articles. If there are still questions left please do not hestiate to ask me.
Continue reading More on Processes and Threads.
The Windows kernel creates a distinct object for every process and every thread in its memory. It is possible to extract these blocks of data from memory images. At this even the remnants of terminated processes and threads can be found. Among their status information there are several timestamps.
Continue reading Timestamps in Thread and Process Objects.
This article provides a listing of the _ETHREAD structure of Microsoft Windows 2000. All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 5.0.2195.7045. Knowledge about this structure could be helpful when analysing a memory dump.
Continue reading _ETHREAD version 5.0.2195.7045.
This article provides a listing of the _EPROCESS structure of Microsoft Windows 2000, Service Pack 4. All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 5.0.2195.7045. Knowledge of this structure could be helpful when analysing a memory dump.
Continue reading _EPROCESS version 5.0.2195.7045.
A crash dump is suitable to generate a forensic image of the physical memory. However this requires some preparatory work.
Continue reading Acquisition (2): Crash dump.
Conservation of volatile data is one of the most challenging tasks in computer forensics. In the Microsoft Windows environment, dd provides a convenient way to copy the memory into a file. There's only one flaw: it won't work from Windows Server 2003 SP 1 onwards.
Continue reading Acquisition (1): dd.
