Exploratory Study on Memory Analysis of Windows 7 Operating System
Several new features of Windows 7 may provide new challenges for memory investigation, and also offer opportunities for acquiring more forensically sensitive information which can be recovered and extracted from the memory image file. This paper analyzed the new features in Windows 7 and developed the memory analysis method according to these new features. The method is based on the data structure in windows which is known as Kernel Processor Control Region (KPCR). Details of address translation from virtual address to physical address are presented, including three steps: acquisition of KPCR structure, acquisition the address of CR3 register and address translation algorithm. Running processes, object type and registry can be extracted by this method. It is verified on 32-bit Windows 7 and 64-bit Windows 7.
Windows 7 forensics memory analysis
Shuhui Zhang Lianhai Wang Ruichao Zhang Qiuxiang Guo
Shandong Provincial Key Laboratory of Computer Network, Shandong Computer Science Center19 Keyuan Ro Shandong Provincial Key Laboratory of Computer Network, Shandong Computer Science Center 19 Keyuan R
国际会议
成都
英文
1-5
2010-08-20(万方平台首次上网日期,不代表论文的发表时间)