i am doing research on windows 7 crash dump file. as we know windows 7 uses ASLR & DEP concepts. so please anyone can tell me what problems can ASLR & DEP can generate for forensic investigator. i.e are ASLR and DEP hurdles for forensic investigator.
please do reply earyl.
thanks
DEP stops memory pages holding data being executed as code.
ASLR is randomisation of the virtual address space of each process in memory.
I can't really imagine either being a problem from a forensics point of view.
There might be a very small number of tools that have a problem dealing with ASLR, but these type of tools would be more for reverse engineering executables and malware authors than a forensics investigator.
thanks for prompt reply.
i experimented with two crash dump files. one of windows xp and other of windows 7 (which uses aslr).
when i opened them in hex editor the xp was showing sensitive information in clear .e.g email address & password, while in case of windows 7 it was not showing anything in plain, i dont know it was a sort of encoded or compressed. so what are reasons for those things.
regards
M shafiq
I don't think you can conclude that 'missing' data in one Win7 dump is due to DEP or ASLR.
Maybe the data wasn't in RAM when the dump was done (e.g. the RAM was deallocated or swapped to disk). Or maybe you were looking at the wrong location in RAM. Maybe different applications were running in RAM when the dump was done. Or maybe the applications were even the same, but the timing was different and the applications where processing different data when the dump was done.