Analyzing Windows Memory Essay

1022 Words 5 Pages
Network investigation cases will rarely follow a rote path. However, most investigations have a few typical steps that are taken. One of the first steps is to acquire the memory if we are doing a live analysis. We can glean a myriad of invaluable information from a computer’s memory. This information may include hidden and running processes, when these processes were started and by whom, and what these specific processes were doing. Terminated objects may even be found in memory days after they were killed. The memory also will have the state of active network connections (Burdach). “Windows memory analysis techniques depend on the examiner’s ability to translate the virtual addresses used by programs and operating system …show more content…
“A memory pool is a dynamic memory area allocated by the kernel where it stores administrative structures,” (Schuster). There are four byte numbers, pool tags, stored in the headers of the structures that will determine the type of pool structure (i.e. Proc, VAD, and Obtb). The memory pool structure is identified by its pool tag Eprocess Structure (Proc). The Proc contains pointers to the Object Table (Obtb) and the Virtual Address Descriptor (VAD) root (Dolan-Gavitt). The Obtb lists the private objects that are in use by the process. These objects include File objects (pool tag FILE), registry key objects (pool tag Key), and event objects (pool tag Evt) (Dolan Gavitt). The VAD root is the starting point of the VAD tree, and the VAD tree contains the memory ranges that are in use by a process (Dolan-Gavitt). Therefore we can reconstruct a process’ virtual address space utilizing the VAD tree. The VAD tree has various pool tags that correlate to various types of Virtual Address Descriptors. Two of these common pool tags, Vad and VadL contain pointers to Control Areas. The Control Area stores usage statistics for the mapped file and pointers to FILE, Page Table (pool tag MmSt), and Segment Object (pool tag MmCa). The MmCa contains the actual file size of the mapped file (Dolan-Gavitt). FILEs point back to the control area as well as I/O name (pool tag IoNm). The IoNm typically contains the file

Related Documents