Hello all,
I'm currently trying to analyze a memory dump from Windows and Linux. However, I'm having difficulty understanding the memory layout. I understand that in windows, the EPROCESS structure contains information about each process, and in linux, the task_struct contains similiar info.
There are some tools for listing all the processes in a memory dump, but I would like to understand how the tool does this, or just be able to understand how to do this manually (possibly with a hex editor).
Are there any good articles on doing this? Google doesn't turn up many good articles.
Thank you
I believe you can find useful the papers written by Mariusz Burdach, such as "Finding Digital Evidence In Physical Memory". The tool he uses for Linux environments is IDETECT, and I think you can find plenty of info to download and review in the webpage you get from googling "IDETECT Toolkit"
Hope it helps.