Name
Abstract | ||
|---|---|---|
his paper briefly introduces the challenges facing collection of volatile data in a target computer. Resons to favor physical memory analysis are also given. After describing the related work of the memory analysis, details of a windows memory analysing method are given through which it is possible to extract useful information, such as running processes , current network connections, file contents, etc., from a memory image. The method is based on a data structure in windows known as Kernel Processor Control Region, or KPCR. Besides, details of address translation from virtual address to physical address are thoroughly discussed and an algorithm of address translation for practice is given. This method is verified on Windows XP SP2, Windows 2003 Server SP2 and Windows Vista Home Basic. |
Year | DOI | Venue |
|---|---|---|
2009 | 10.1109/IAS.2009.103 | IAS |
Keywords | Field | DocType |
memory image,physical address,windows memory,windows xp sp2,memory analysis,windows memory analysis,virtual address,physical memory analysis,server sp2,windows vista home basic,address translation,data structures,data structure,registers,world wide web,computer forensics,process control,kernel,forensics,data mining | Data structure,DLL Hell,Computer forensics,Physical address,Computer security,Computer science,Virtual address space,Commit charge,Paging,Windows Vista,Operating system | Conference |
Citations | PageRank | References |
12 | 0.82 | 8 |
Authors | ||
3 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Ruichao Zhang | 1 | 20 | 2.05 |
| Lianhai Wang | 2 | 41 | 10.98 |
| Shuhui Zhang | 3 | 32 | 4.82 |