Title :
Exploratory study on memory analysis of Windows 7 operating system
Author :
Zhang, Shuhui ; Wang, Lianhai ; Zhang, Ruichao ; Guo, Qiuxiang
Author_Institution :
Shandong Provincial Key Lab. of Comput. Network, Shandong Comput. Sci. Center, Jinan, China
Abstract :
Several new features of Windows 7 may provide new challenges for memory investigation, and also offer opportunities for acquiring more forensically sensitive information which can be recovered and extracted from the memory image file. This paper analyzed the new features in Windows 7 and developed the memory analysis method according to these new features. The method is based on the data structure in windows which is known as Kernel Processor Control Region (KPCR). Details of address translation from virtual address to physical address are presented, including three steps: acquisition of KPCR structure, acquisition the address of CR3 register and address translation algorithm. Running processes, object type and registry can be extracted by this method. It is verified on 32-bit Windows 7 and 64-bit Windows 7.
Keywords :
operating system kernels; storage management; CR3 register; Windows 7 operating system; address translation algorithm; forensically sensitive information; kernel processor control region; memory analysis; memory image file; Computers; Windows 7; forensics; memory analysis;
Conference_Titel :
Advanced Computer Theory and Engineering (ICACTE), 2010 3rd International Conference on
Conference_Location :
Chengdu
Print_ISBN :
978-1-4244-6539-2
DOI :
10.1109/ICACTE.2010.5579832
