The VAD tree: A process-eye view of physical memory

Brendan Dolan-Gavitt

doi:10.1016/j.diin.2007.06.008

The VAD tree: A process-eye view of physical memory

Brendan Dolan-Gavitt

Research output: Contribution to journal › Article › peer-review

Abstract

This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.

Original language	English (US)
Pages (from-to)	62-64
Number of pages	3
Journal	Digital Investigation
Volume	4
Issue number	SUPPL.
DOIs	https://doi.org/10.1016/j.diin.2007.06.008
State	Published - Sep 2007

Keywords

Anti-forensics
Digital forensics
Microsoft Windows
Virtual Address Descriptors
Volatile memory

ASJC Scopus subject areas

Pathology and Forensic Medicine
Information Systems
Computer Science Applications
Medical Laboratory Technology
Law

Access to Document

10.1016/j.diin.2007.06.008

Cite this

@article{188324e84d2a470d81ba3505701ce4ae,

title = "The VAD tree: A process-eye view of physical memory",

abstract = "This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.",

keywords = "Anti-forensics, Digital forensics, Microsoft Windows, Virtual Address Descriptors, Volatile memory",

author = "Brendan Dolan-Gavitt",

note = "Funding Information: This project was carried out as part of CSIRO's flagship priority project ?Water for a Healthy Country?. The manuscript was reviewed by J. Wilford and M. Craig prior to submission. The contributions of two anonymous MODSIM reviewers are also appreciated. This paper is published with the permission of the CEO's of CRC LEME Geoscience Australia.",

year = "2007",

month = sep,

doi = "10.1016/j.diin.2007.06.008",

language = "English (US)",

volume = "4",

pages = "62--64",

journal = "Digital Investigation",

issn = "1742-2876",

publisher = "Elsevier Ltd",

number = "SUPPL.",

}

TY - JOUR

T1 - The VAD tree

T2 - A process-eye view of physical memory

AU - Dolan-Gavitt, Brendan

N1 - Funding Information: This project was carried out as part of CSIRO's flagship priority project ?Water for a Healthy Country?. The manuscript was reviewed by J. Wilford and M. Craig prior to submission. The contributions of two anonymous MODSIM reviewers are also appreciated. This paper is published with the permission of the CEO's of CRC LEME Geoscience Australia.

PY - 2007/9

Y1 - 2007/9

N2 - This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.

AB - This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.

KW - Anti-forensics

KW - Digital forensics

KW - Microsoft Windows

KW - Virtual Address Descriptors

KW - Volatile memory

UR - http://www.scopus.com/inward/record.url?scp=34447559706&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34447559706&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2007.06.008

DO - 10.1016/j.diin.2007.06.008

M3 - Article

AN - SCOPUS:34447559706

SN - 1742-2876

VL - 4

SP - 62

EP - 64

JO - Digital Investigation

JF - Digital Investigation

IS - SUPPL.

ER -

The VAD tree: A process-eye view of physical memory

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this