Skip to Main Content
ASME Press Select Proceedings

International Conference on Computer and Electrical Engineering 4th (ICCEE 2011)

Jianhong Zhou
Jianhong Zhou
Search for other works by this author on:
No. of Pages:
ASME Press
Publication date:

Over the past few years, memory analysis has been an issue that has been discussed in digital forensics. A number of tools have been released that focus on memory acquisition of Windows system. However, the implementation of memory analysis is still limited as it encounters a lot of difficulties. The aim of this paper is to outline one of the difficulties with regards to the structure of EPROCESS block. It will discuss about the differences in offset between Windows 2000 and Window XP. Further, the important of internal structures in EPROCESS block will be identified as they play an important role in the analysis and theory reconstruction for forensic investigation. Nevertheless, an address translation for x86 platforms will be demonstrated in this paper. Hence, the limitation of the address translation algorithm will also been discussed and identified.

You do not currently have access to this chapter.
Close Modal
This Feature Is Available To Subscribers Only

Sign In or Create an Account

Close Modal
Close Modal