This information is covered in introductory courses on Windows/NTFS forensics, but I often lose track of the original source for technical information that I can cite in expert reports and other deliverables. Also, I’m not a fan of citing proprietary training materials that can’t be easily found on the web, purchased from Amazon, or found in a public library.
This post is a quick summary of a few articles from Microsoft with links to the original articles.
I recently was provided with a 64GB raw memory image created by the free DumpIt tool from a Windows 2012 R2 x64 server. To my dismay, neither Volatility nor Rekall could make heads or tails of it. After debugging a little further, I discovered that neither tool was able to find the kernel debugger data block (_KDDEBUGGER_DATA64) structure.
After a lot of Googling and consultation of the handy bible on this subject matter, The Art of Memory Forensics, I think I finally understand what went wrong (but I’m eagerly seeking clarification/correction from the DFIR/infosec community if I’m mistaken!