Pool Allocations as an Information Source in Windows Memory Forensics

@inproceedings{Schuster2006PoolAA,
  title={Pool Allocations as an Information Source in Windows Memory Forensics},
  author={Andreas Schuster},
  booktitle={IMF},
  year={2006}
}
The Microsoft Windows kernel provides a heap-like memory management, called "pools". Whenever some kernel-mode code requires an amount of memory, it is allocated from a pool. Ignoring the documented interface and searching the whole dump of physical memory for signatures of pool allocations allows the forensic examiner to gain information not only from… CONTINUE READING