Virtual Address Descriptors (DFRWS 2007)

I've just had my first paper accepted to a conference! The paper, titled The VAD Tree: A Process-Eye View of Physical Memory, describes how to use the Virtual Address Descriptor structure of the Windows kernel to do a variety of nifty things, including list DLLs loaded by the process and categorize a process's memory allocations into shared regions, mapped files, and private allocations. I'll be presenting it at the 7th annual Digital Forensics Research Workshop in Pittsburgh this August.

Here's the abstract:

This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.

The tools mentioned above will be released shortly; there's a small amount of cleanup I still need to do. I'll update this post with a link when that happens.

Last, but certainly not least, I want to take this opportunity to give heartfelt thanks to AAron Walters, who helped me out a ton by looking over my paper and giving suggestions. It's a much stronger and more technically interesting work as a result of his help. Also, thanks go out to Andy Bair, who got me interested in all this stuff in the first place.