کد مقاله کد نشریه سال انتشار مقاله انگلیسی نسخه تمام متن
4955650 1444271 2017 7 صفحه PDF دانلود رایگان
عنوان انگلیسی مقاله ISI
Obtaining forensic value from the cbWndExtra structures as used by Windows Common Controls, specifically for the Editbox control
موضوعات مرتبط
مهندسی و علوم پایه مهندسی کامپیوتر شبکه های کامپیوتری و ارتباطات
پیش نمایش صفحه اول مقاله
Obtaining forensic value from the cbWndExtra structures as used by Windows Common Controls, specifically for the Editbox control
چکیده انگلیسی

The Windows Common Controls is a library which facilitates the construction of GUI controls commonly used by Windows applications. Each control is an extension of the basic 'window' class. The difference in the extension results in one control over another; for example, an Edit control as opposed to a Button control. The basic window class is documented by Microsoft and the generic information about a Window can be extracted, but this is of very limited use. There is no documentation and very little research into how these extensions are laid out in memory. This paper demonstrates how the extension bytes for the Edit control can be parsed leading to identification of previously unobtainable data which reveal information about the state of the control at runtime. Most notably, the undo buffer, that is, text that was previously present in the control can be recovered - an aspect which traditional disk forensics would simply not provide. The paper explains why previous attempts to achieve similar goals have failed, and how the technique could be applied to any control from the Windows Common Controls library.

ناشر
Database: Elsevier - ScienceDirect (ساینس دایرکت)
Journal: Digital Investigation - Volume 20, March 2017, Pages 54-60
نویسندگان
,