The VAD tree: A process-eye view of physical memory

Brendan Dolan-Gavitt

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.

    Original languageEnglish (US)
    Title of host publicationDFRWS 2007 Annual Conference
    DOIs
    StatePublished - 2007
    Event7th Annual Digital Forensic Research Workshop, DFRWS 2007 - Pittsburgh, PA, United States
    Duration: Aug 13 2007Aug 15 2007

    Other

    Other7th Annual Digital Forensic Research Workshop, DFRWS 2007
    CountryUnited States
    CityPittsburgh, PA
    Period8/13/078/15/07

    Fingerprint

    Virtual addresses
    Data storage equipment

    Keywords

    • Anti-forensics
    • Digital forensics
    • Microsoft Windows
    • Virtual Address Descriptors
    • Volatile memory

    ASJC Scopus subject areas

    • Information Systems

    Cite this

    The VAD tree : A process-eye view of physical memory. / Dolan-Gavitt, Brendan.

    DFRWS 2007 Annual Conference. 2007.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Dolan-Gavitt, B 2007, The VAD tree: A process-eye view of physical memory. in DFRWS 2007 Annual Conference. 7th Annual Digital Forensic Research Workshop, DFRWS 2007, Pittsburgh, PA, United States, 8/13/07. https://doi.org/10.1016/j.diin.2007.06.008
    Dolan-Gavitt, Brendan. / The VAD tree : A process-eye view of physical memory. DFRWS 2007 Annual Conference. 2007.
    @inproceedings{fda6a501c81c465eb09c7c58c403de0c,
    title = "The VAD tree: A process-eye view of physical memory",
    abstract = "This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.",
    keywords = "Anti-forensics, Digital forensics, Microsoft Windows, Virtual Address Descriptors, Volatile memory",
    author = "Brendan Dolan-Gavitt",
    year = "2007",
    doi = "10.1016/j.diin.2007.06.008",
    language = "English (US)",
    booktitle = "DFRWS 2007 Annual Conference",

    }

    TY - GEN

    T1 - The VAD tree

    T2 - A process-eye view of physical memory

    AU - Dolan-Gavitt, Brendan

    PY - 2007

    Y1 - 2007

    N2 - This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.

    AB - This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Windows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.

    KW - Anti-forensics

    KW - Digital forensics

    KW - Microsoft Windows

    KW - Virtual Address Descriptors

    KW - Volatile memory

    UR - http://www.scopus.com/inward/record.url?scp=84868338713&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84868338713&partnerID=8YFLogxK

    U2 - 10.1016/j.diin.2007.06.008

    DO - 10.1016/j.diin.2007.06.008

    M3 - Conference contribution

    AN - SCOPUS:84868338713

    BT - DFRWS 2007 Annual Conference

    ER -