Forensics: Windows 10 memory forensics (WO)

Forensics: Windows 10 memory forensics (WO)

Analyze even the newest versions of an OS

Forensic investigators need to be able to analyze even the newest versions of an OS. Windows 10, a new major version of the Windows OS will be released in 2015. A technical preview version is already available.

The main focus of this internship is Windows 10 memory acquisition and analysis. How are e.g. processes, networking objects and file objects represented in memory on a Windows 10 machine? The first challenge is to make a reliable memory dump for a Windows 10 system. The second step is to analyze the Windows 10 in-memory structures using reverse engineering techniques. Starting from scratch is unnecessary since many data structures will resemble data structures used in preceding Windows versions.

A practical outcome of this research would be the creation of Volatility profiles to perform efficient Windows 10 memory analysis using the Volatility framework. Finally, this entire process should be analyzed to determine which parts of this process could be automated for analyzing in-memory traces of future (sub)versions of Windows. Since this research is quite comprehensive, it could be performed by a group of two students.


Please share your profile and motivation with us (vacature[at] In case of questions please call Walter Doorduin at 00 31 6 419 01 011.

Neem contact op

+31 (0) 15 284 79 99