Here's the abstract:
This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.
The tools mentioned above will be released shortly; there's a small amount of cleanup I still need to do. I'll update this post with a link when that happens.
Last, but certainly not least, I want to take this opportunity to give heartfelt thanks to AAron Walters, who helped me out a ton by looking over my paper and giving suggestions. It's a much stronger and more technically interesting work as a result of his help. Also, thanks go out to Andy Bair, who got me interested in all this stuff in the first place.
1 comment:
Hey, any chance of seeing the paper? I can't make DFRWS...
Thanks,
Harlan
Post a Comment