PoolTools Version 1.3.0

I have overhauled PoolFinder and the accompanying tools. The tools now use a SQLite data base instead of flat files for exachanging data. An experimental package now provides stand-alone versions of the tools, along with an embedded Perl interpreter.

PoolTools consists of the following programs:

  • PoolFinder - finds allocations of the OS kernel in memory dumps and page files (pagefile.sys)

  • PoolGrep - finds strings in pool allocations

  • PoolDump - produces a hex dump of all allocations that belong to a selected class

An additional tool, PoolView, translates certain pool allocations in a human-readable form. PoolView is available to law enforcement and special interest groups upon request.

By switching from flat files to a SQLite data base, the execution speed of PoolTools was greatly improved. Also the full power of SQL is now available to support the analysis of pool allocations.

Perl code of PoolTools version 1.3.00 is available here. Those who have no Perl interpreter ready are invited to try the experimental stand-alone version with embedded Perl interpreter.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.