Locating ×86 paging structures in memory images

Abstract

Digital memory forensics consists of analyzing various components of a memory image from a compromised host. A memory image consists of data and processes that were running on the system at the time the image was created. Previously running processes are one of the key items in memory images to identify, including potentially hidden processes. Each process has its own paging structures that define its address space, so locating the paging structures can potentially lead to finding all of the processes that were running. In this paper, we describe an algorithm to locate paging structures in a memory image of an ×86 platform running either Linux or Windows XP. The algorithm can be used to find paging structures for potential processes that were hidden by rootkits or other malware. Furthermore, if the system was running an ×86 virtual machine, the algorithm can locate paging structures associated with both the host kernel and the guest kernel processes. Our algorithm relies more on the constructs of the ×86 hardware and less on the operating system running on top of the hardware. This means that the algorithm works for many different operating systems with only minor tweaking.