For certain examinations it might be helpful to be able to extract the memory of a single process from the full dump. If the dump was obtained with "dd" the reconstruction of the process' memory is quite simple.
A new option in PTfinder version 0.2.02 controls the alignment factor. When searching a Windows 2000 image for processes and threads this doubles the speed!
Due to popular demand I've released templates to parse DMP files with WinHex and 010 Editor.
Accidentally I came upon three patents which are mainly related to debugging techniques, but might also affect the development of forensic memory analysis tools.
PTfinder relies on some internal structures and magic numbers of the NT kernel to find traces of processes and threads. My proof-of-concept implementation only works on Microsoft Windows 2000. In this article I'll give the full set of parameters needed to adapt PTfinder to other versions up to Vista.
Converting a virtual into a physical address manually is a dull and error-prone task. To make things a bit easier I drafted a template for Sweetscape's 010 Editor.
While analyzing a memory dump, sooner or later you'll have to convert a virtual into a physical address. This can be a challenging task when it's done for the first time. This article will guide you through the process.
I already described how to search for processes and threads - but I still didn't explain why I think this is necessary. In this article I will summarize the state-of-the-art in Windows memory analysis and propose an improvement based on searching.
Searching for highly variable structures like processes and threads is a difficult task. The set of criteria must be carefully chosen. On one hand it should limit the amount of false-positives to a minimum while on the other hand it must not wrongly exclude valid objects from the result. This article documents the set of criteria I have implemented in PTfinder v0.2.00.
