Authors: Andrew White (Dell Secureworks), Bradley Schatz, Ph.D. (Schatz Forensic), Ernest Foo
DFRWS USA 2012
Previous research into memory forensics has focused on understanding the structure and contents of the kernel space portions of physical memory, and mostly ignored the contents of the userspace. This paper describes the results of a survey of user space virtual address allocations in the Windows XP and Windows 7 operating systems, comprehensively identifying the kernel and userspace metadata required to identify such allocations. New techniques for determining the role and content of those allocations are identified, significantly increasing the proportion of allocations for which the role and function are understood. The validity of this approach is evaluated and a detailed analysis of the data structures involved provided. An implementation of this approach is presented which is capable of identifying all user space allocations, and for those allocations identifying for a high percentage, the role of those allocations, even for complex applications.