Conference ProceedingsOPEN ACCESS

Pool tag quick scanning for windows memory analysis

DFRWS 2016 EU - Proceedings of the 3rd Annual DFRWS Europe (2016) S25-S32
DOI: 10.1016/j.diin.2016.01.005
0Citations
Citations of this article
61Readers
Mendeley users who have this article in their library.

This article is free to access.

Abstract

Pool tag scanning is a process commonly used in memory analysis in order to locate kernel object allocations, enabling investigators to discover evidence of artifacts that may have been freed or otherwise maliciously hidden from the operating system. The fastest current scanning techniques require an exhaustive search of physical memory, a process that has a linear time complexity over physical memory size. We propose a novel technique that we are calling “pool tag quick scanning” that is able to reduce the scanning space by 1–2 orders of magnitude, resulting in much faster discovery of targeted kernel data structures, while maintaining a high degree of accuracy.

Author supplied keywords

Cite

CITATION STYLE

APA

Sylve, J. T., Marziale, V., & Richard, G. G. (2016). Pool tag quick scanning for windows memory analysis. In DFRWS 2016 EU - Proceedings of the 3rd Annual DFRWS Europe (pp. S25–S32). Digital Forensic Research Workshop. https://doi.org/10.1016/j.diin.2016.01.005

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free