Binary Information Press
The text documents opened by notepad are important forensic objects in MS Windows memory forensic field, because the notepad is a widely used text editing program bind with the Windows system. This paper proposed a method for recovering text documents from windows7 memory image based on reconstructed process space for notepad. Firstly the notepad's Eprocess is located in Windows7 memory image. Then using the items in the Eprocess, such as Pcb, Peb, and VadRoot, to reconstruct notepad's memory space.