Obtaining forensic value from the cbWndExtra structures as used by Windows Common Controls,specifically for the Editbox control |
| |
Affiliation: | 1. Department of Computer Science, Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), Erlangen, Germany;2. Department of Computer Science, Technische Hochschule Nürnberg Georg Simon Ohm, Nürnberg, Germany |
| |
Abstract: | The Windows Common Controls is a library which facilitates the construction of GUI controls commonly used by Windows applications. Each control is an extension of the basic ‘window’ class. The difference in the extension results in one control over another; for example, an Edit control as opposed to a Button control. The basic window class is documented by Microsoft and the generic information about a Window can be extracted, but this is of very limited use. There is no documentation and very little research into how these extensions are laid out in memory. This paper demonstrates how the extension bytes for the Edit control can be parsed leading to identification of previously unobtainable data which reveal information about the state of the control at runtime. Most notably, the undo buffer, that is, text that was previously present in the control can be recovered – an aspect which traditional disk forensics would simply not provide. The paper explains why previous attempts to achieve similar goals have failed, and how the technique could be applied to any control from the Windows Common Controls library. |
| |
Keywords: | Windows Common Controls Digital forensics Microsoft windows Volatile memory Memory forensics cbwndextra Editbox wndclassex |
本文献已被 ScienceDirect 等数据库收录! |
|