Title :
Windows Memory Analysis Based on KPCR
Author :
Zhang, Ruichao ; Wang, Lianhai ; Zhang, Shuhui
Author_Institution :
Shandong Comput. Sci. Center, Jinan, China
Abstract :
This paper briefly introduces the challenges facing collection of volatile data in a target computer. Reasons to favor physical memory analysis are also given. After describing the related work of the memory analysis, details of a windows memory analysing method are given through which it is possible to extract useful information, such as running processes , current network connections, file contents, etc., from a memory image. The method is based on a data structure in Windows known as kernel processor control region, or KPCR. Besides, details of address translation from virtual address to physical address are thoroughly discussed and an algorithm of address translation for practice is given. This method is verified on Windows XP SP2, Windows 2003 Server SP2 and Windows Vista Home Basic.
Keywords :
data structures; operating system kernels; storage allocation; Windows 2003 Server SP2; Windows Vista Home Basic; Windows data structure; Windows memory analysis; address translation; kernel processor control region; physical address; virtual address; volatile data; Computer security; Data mining; Data security; Digital forensics; Guidelines; Image analysis; Information analysis; Information security; Kernel; Physics computing; KPCR; address translation; computer forensics; memory analysis;
Conference_Titel :
Information Assurance and Security, 2009. IAS '09. Fifth International Conference on
Conference_Location :
Xian
Print_ISBN :
978-0-7695-3744-3
DOI :
10.1109/IAS.2009.103
