| The purpose of this research was to develop and evaluate a user level and kernel level utility to perform enhanced forensic memory captures for the Windows 7 operating system. This forensic tool extracts only memory associated with user memory for a single process or program. The research perform was based on the Microsoft Windows 7 memory model. It would be beneficial for a forensic examiner to understand: how the Windows operating system requests memory, tools used to view how memory allocation, how programs are stored on the disk. This research will benefit other researchers and allow them to create memory analysis tools from acquired process memory.;Keywords: Cybersecurity Forensics, Process Memory Capture, Virtual Address Descriptor Tree, VAD, Prof. Cynthia Gonnella. |
