Network investigation cases will rarely follow a rote path. However, most investigations have a few typical steps that are taken. One of the first steps is to acquire the memory if we are doing a live analysis. We can glean a myriad of invaluable information from a computer’s memory. This information may include hidden and running processes, when these processes were started and by whom, and what these specific processes were doing. Terminated objects may even be found in memory days after they were killed. The memory also will have the state of active network connections (Burdach).
“Windows memory analysis techniques depend on the examiner’s ability to translate the virtual addresses used by programs and operating system components into the true locations of data in a memory image,” (Schuster). Due to Windows caching large amounts of file data in memory we need to ensure we take invalid, mapped-file data into account. Memory is divided into 4096 bytes of data that is referred to as a page when in memory and a frame when on the hard drive. The memory manager assigns pages to a process to utilize as data storage for that process. When a page does not meet this criterion is said to be invalid (Burdach). In some memory images over 20% of the virtual addresses we find point to “invalid” pages that cannot be found using an average method for address translation (Schuster). By using every available page we can greatly increase the totality of the analysis and accurately recreate the machine as it existed at the time of imaging.
Data Carving can be done with memory just as with the hard disk. Data carving algorithms cannot recover fragments if a page is not yet loaded into memory, though. We can, however, reconstruct these fragments by interpreting file-mapping related structures (Shuster). File mappings are administered by data structures; which are allocated from memory pools. “A memory pool is a dynamic memory area allocated by the kernel where it stores administrative structures,” (Schuster). There are four byte numbers, pool tags, stored in the headers of the structures that will determine the type of pool structure (i.e. Proc, VAD, and Obtb). The memory pool structure is identified by its pool tag Eprocess Structure (Proc). The Proc contains pointers to the Object Table (Obtb) and the Virtual Address Descriptor (VAD) root (Dolan-Gavitt). The Obtb lists the private objects that are in use by the process. These objects include File objects (pool tag FILE), registry key objects (pool tag Key), and event objects (pool tag Evt) (Dolan Gavitt). The VAD root is the starting point of the VAD tree, and the VAD tree contains the memory ranges that are in use by a process (Dolan-Gavitt). Therefore we can reconstruct a process’ virtual address space utilizing the VAD tree.
The VAD tree has various pool tags that correlate to various types of Virtual Address Descriptors. Two of these common pool tags, Vad and VadL contain...