Authors: Andrea Oliveri, Nikola Nemes, Andjelic Branislav, Davide Balzarotti
DFRWS EU 2025
Abstract
Over the years, memory forensics has emerged as a powerful analysis technique for uncovering security breaches that often evade detection. However, the differences in layouts used by the operating systems to organize data in memory can undermine its effectiveness. To overcome this problem, forensics tools rely on specialized “maps”, the profiles, that describe the location and layout of kernel data types in volatile memory for each different OS. To avoid compromising the entire forensics analysis, it is crucial to meticulously select the profile to use, which is also tailored to the specific version of the OS.