9 Investigating the Process Block for Memory Analysis
-
Published:2011
Download citation file:
Over the past few years, memory analysis has been an issue that has been discussed in digital forensics. A number of tools have been released that focus on memory acquisition of Windows system. However, the implementation of memory analysis is still limited as it encounters a lot of difficulties. The aim of this paper is to outline one of the difficulties with regards to the structure of EPROCESS block. It will discuss about the differences in offset between Windows 2000 and Window XP. Further, the important of internal structures in EPROCESS block will be identified as they play an important role in the analysis and theory reconstruction for forensic investigation. Nevertheless, an address translation for x86 platforms will be demonstrated in this paper. Hence, the limitation of the address translation algorithm will also been discussed and identified.