Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>CanSecWest</strong>2007<br />
21<br />
EPROCESS<br />
• The EPROCESS structure is<br />
fundamental<br />
• Among other information, PID, Creation /<br />
Deletion times, executing image name,<br />
priority, etc<br />
• Used for scheduling<br />
– …well, sort of <br />
• Pointers to previous and next process<br />
(double linked list)<br />
– Not particularly helpful in this case, as ‘rogue’<br />
and ‘old’ processes are desirable to find as<br />
well<br />
VIDAS