Acquisiting Text Documents Opened by Notepad from Windows7 RAM Image

Download Now
Provided by: Binary Information Press
Topic: Software
Format: PDF
The text documents opened by notepad are important forensic objects in MS Windows memory forensic field, because the notepad is a widely used text editing program bind with the Windows system. This paper proposed a method for recovering text documents from windows7 memory image based on reconstructed process space for notepad. Firstly the notepad's Eprocess is located in Windows7 memory image. Then using the items in the Eprocess, such as Pcb, Peb, and VadRoot, to reconstruct notepad's memory space.
Download Now

Find By Topic