Abstract
This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.
Original language | English (US) |
---|---|
Title of host publication | DFRWS 2007 Annual Conference |
DOIs | |
State | Published - 2007 |
Event | 7th Annual Digital Forensic Research Workshop, DFRWS 2007 - Pittsburgh, PA, United States Duration: Aug 13 2007 → Aug 15 2007 |
Other
Other | 7th Annual Digital Forensic Research Workshop, DFRWS 2007 |
---|---|
Country/Territory | United States |
City | Pittsburgh, PA |
Period | 8/13/07 → 8/15/07 |
Keywords
- Anti-forensics
- Digital forensics
- Microsoft Windows
- Virtual Address Descriptors
- Volatile memory
ASJC Scopus subject areas
- Information Systems