Posts

Prefetch Files Prefetch files are created by Windows to speed up the loading process by caching the neccessary data. When we fire up a process, it will cache the details like files accessed and stores it in small file i.e. prefetch files under Prefetch subfolder in Windows. When the application is opened for the next time, it will load the files accessed. Windows Prefetch files are located in C:\Windows\Prefetch\*.pf. From forensic perspective, it provides various valuable information like ...

PoolTag is a 4 bytes value (unsigned int value) present in the header (i.e. POOL_HEADER) .Microsoft creates pool tag mostly for debugging purposes. So, whenever Kernel creates any object in pool memory, it creates a POOL_HEADER which contains a PoolTag field which contains information regarding what kind of object is being created. 0: kd> dt nt!_POOL_HEADER +0x000 PreviousSize : Pos 0, 8 Bits +0x000 PoolIndex : Pos 8, 8 Bits +0x002 BlockSize : Pos 0, 8 Bits +0x002 PoolType : Pos 8, 8 Bits +0x000 Ulong1 : Uint4B +0x004 PoolTag : Uint4B +0x008 ProcessBilled : Ptr64 _EPROCESS +0x008 AllocatorBackTraceIndex : Uint2B +0x00a PoolTagHash : Uint2B Let’s look at one of the running process, how it actually looks like ...

A deep dive into Windows objects, focusing on their structure, headers, and relationships. This blog covers key components like _OBJECT_HEADER, OBJECT_TYPE, and ObTypeIndexTable, providing insights into how Windows organizes and references objects.

This post explores application dumps, a crucial tool for debugging and analyzing software errors, offering insights into memory analysis and troubleshooting techniques

An introduction to analyzing kernel memory dumps using WinDbg.

A comprehensive guide to understanding and creating Windows shellcode from scratch for exploit development. This article includes practical insights into using WinDbg for effective debugging and analysis.

A comprehensive guide to understanding and creating Windows shellcode from scratch for exploit development. This article includes practical insights into using WinDbg for effective debugging and analysis.

Hands on parsing PE files with WinDbg and explore their structures for debugging and reverse engineering.

Hands on parsing PE files with WinDbg and explore their structures for debugging and reverse engineering.

Full detailed writeup for ReAL-File-System which is centered around ReFS Log Analysis. tl;dr Disk Forensics Resilient File System Log Analysis ...