The VAD tree

A process-eye view of physical memory

Brendan Dolan-Gavitt

    Research output: Contribution to journalArticle

    Abstract

    This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.

    Original languageEnglish (US)
    Pages (from-to)62-64
    Number of pages3
    JournalDigital Investigation
    Volume4
    Issue numberSUPPL.
    DOIs
    StatePublished - Sep 2007

    Fingerprint

    Virtual addresses
    Data storage equipment
    Data Display
    Directories
    Walking
    Values

    Keywords

    • Anti-forensics
    • Digital forensics
    • Microsoft Windows
    • Virtual Address Descriptors
    • Volatile memory

    ASJC Scopus subject areas

    • Computer Science (miscellaneous)
    • Engineering (miscellaneous)
    • Law

    Cite this

    The VAD tree : A process-eye view of physical memory. / Dolan-Gavitt, Brendan.

    In: Digital Investigation, Vol. 4, No. SUPPL., 09.2007, p. 62-64.

    Research output: Contribution to journalArticle

    Dolan-Gavitt, Brendan. / The VAD tree : A process-eye view of physical memory. In: Digital Investigation. 2007 ; Vol. 4, No. SUPPL. pp. 62-64.
    @article{188324e84d2a470d81ba3505701ce4ae,
    title = "The VAD tree: A process-eye view of physical memory",
    abstract = "This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.",
    keywords = "Anti-forensics, Digital forensics, Microsoft Windows, Virtual Address Descriptors, Volatile memory",
    author = "Brendan Dolan-Gavitt",
    year = "2007",
    month = "9",
    doi = "10.1016/j.diin.2007.06.008",
    language = "English (US)",
    volume = "4",
    pages = "62--64",
    journal = "Digital Investigation",
    issn = "1742-2876",
    publisher = "Elsevier Limited",
    number = "SUPPL.",

    }

    TY - JOUR

    T1 - The VAD tree

    T2 - A process-eye view of physical memory

    AU - Dolan-Gavitt, Brendan

    PY - 2007/9

    Y1 - 2007/9

    N2 - This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.

    AB - This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.

    KW - Anti-forensics

    KW - Digital forensics

    KW - Microsoft Windows

    KW - Virtual Address Descriptors

    KW - Volatile memory

    UR - http://www.scopus.com/inward/record.url?scp=34447559706&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=34447559706&partnerID=8YFLogxK

    U2 - 10.1016/j.diin.2007.06.008

    DO - 10.1016/j.diin.2007.06.008

    M3 - Article

    VL - 4

    SP - 62

    EP - 64

    JO - Digital Investigation

    JF - Digital Investigation

    SN - 1742-2876

    IS - SUPPL.

    ER -