Gesellschaft fr Informatik e.V.

Lecture Notes in Informatics

IT-Incident Management & IT-Forensics - IMF 2006, Conference Proceedings October, 18th - 19th, 2006, Stuttgart P-97, 104-115 (2006).



Oliver Göbel, Dirk Schadt, Sandra Frings, Hardo Hase, Detlef Günther, Jens Nedon (eds.)


Pool allocations as an information source in windows memory forensics

Andreas Schuster


The Microsoft Windows kernel provides a heap-like memory management, called "pools". Whenever some kernel-mode code requires an amount of memory, it is allocated from a pool. Ignoring the documented interface and searching the whole dump of physical memory for signatures of pool allocations allows the forensic examiner to gain information not only from currently active but also from freed and not yet overwritten allocations. Understanding the inner mechanics of memory pools enables an examiner to connect certain finds in memory to the originating piece of code. As an example this articles describes the steps necessary to detect traces of network activity in a memory dump.

Full Text: PDF

ISBN 978-3-88579-191-1

Last changed 24.01.2012 21:56:44