Excellent paper. Thanks for pointing that out.
--
chort
On Jun 19, 2013, at 2:38 PM, Michael Hale Ligh wrote:
I'd suggest reading the paper, it explains all of
this and more (windows internals expertise not required)
http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf
MHL
On Wed, Jun 19, 2013 at 12:30 PM, Brian Keefer <chort(a)effu.se> wrote:
I look at mostly Win7/64 systems and have always found shimcache data in memory images
before. In the last several weeks only about 50% of the images I looked at had it. I'm
running a 2.3 alpha build from a month or two ago (have been all this time).
While not strictly a Volatility issue, could someone explain under what circumstances the
data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1
and part 2 on my bookshelf, waiting...)
Thanks!
--
chort
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users