[Vol-users] 64bit memory images

RB aoz.syn at gmail.com
Fri Jan 2 09:23:28 CST 2009

On Fri, Jan 2, 2009 at 07:49, Jesse Kornblum <jessek at speakeasy.net> wrote:
> As for the differences in anything else, like I said, I don't think anybody has
> published on those yet. You could be the first!

Basic answer: Jesse's right.  Addressing differs, but I don't
think/know that Volatility parses 64-bit images.

The Advanced Memory Forensics course offered at Blackhat by Mandiant
is pretty useful, but mostly only covered 32-bit addressing.  They
have a library somewhat similar to Volatility (Memoryze) that the
course centers around, but it's not open-source - the Python bindings
they used in-class were just opaque ties to the DLL they provided.

Matthieu Suiche also publishes some good material on memory forensics
and hiberfil.sys analysis (sandman).  If you look hard enough, you can
probably find other documentation.  One major problem is that at least
the physical layout of Windows memory differs by every release, if not
every service pack.


More information about the Vol-users mailing list