Exploratory study on memory analysis of Windows 7 operating system

Author

Zhang, Shuhui ; Wang, Lianhai ; Zhang, Ruichao ; Guo, Qiuxiang

Author_Institution

Shandong Provincial Key Lab. of Comput. Network, Shandong Comput. Sci. Center, Jinan, China

Volume

6

fYear

2010

fDate

20-22 Aug. 2010

Abstract

Several new features of Windows 7 may provide new challenges for memory investigation, and also offer opportunities for acquiring more forensically sensitive information which can be recovered and extracted from the memory image file. This paper analyzed the new features in Windows 7 and developed the memory analysis method according to these new features. The method is based on the data structure in windows which is known as Kernel Processor Control Region (KPCR). Details of address translation from virtual address to physical address are presented, including three steps: acquisition of KPCR structure, acquisition the address of CR3 register and address translation algorithm. Running processes, object type and registry can be extracted by this method. It is verified on 32-bit Windows 7 and 64-bit Windows 7.

Keywords

operating system kernels; storage management; CR3 register; Windows 7 operating system; address translation algorithm; forensically sensitive information; kernel processor control region; memory analysis; memory image file; Computers; Windows 7; forensics; memory analysis;

fLanguage

English

Publisher

ieee

Conference_Titel

Advanced Computer Theory and Engineering (ICACTE), 2010 3rd International Conference on

Conference_Location

Chengdu

ISSN

2154-7491

Print_ISBN

978-1-4244-6539-2

Type

conf

DOI

10.1109/ICACTE.2010.5579832

Filename

5579832