ID Code : CSC 0022
Title : Investigating the PROCESS block for Memory Analysis
Author/s : Khairul Akram Zainol Ariffin
Ahmad Kamil Mahmood
Jafreezal Jaafar
Abstract : Over the past few years, memory analysis has been an issue that has been discussed in digital forensics. A number of tools have been released that focus on memory acquisition of Windows system. However, the implementation of memory analysis is still limited as it encounters a lot of difficulties. The aim of this paper is to outline one of the difficulties with regards to the structure of EPROCESS block. It will discuss about the differences in offset between Windows 2000 and Window XP. Further, the important of internal structures in EPROCESS block will be identified as they play an important role in the analysis and theory reconstruction for forensic investigation. Nevertheless, an address translation for x86 platforms will be demonstrated in this paper. Hence, the limitation of the address translation algorithm will also been discussed and identified.
Publication : Proceedings of the 11th WSEAS International Conference on Applied Computer Science Recent Researches in Applied Mathematics and Informatics
Year Published : 2011|21-29|Conference Proceeding
