There are many terms when talking about memory forensics, this list hopes to define the common ones and provide some commonality on how to refer to particular ideas within the field.
- Address Space
This is the name in volatility 2 for what’s referred to as a Translation Layer. It encompasses all values that can be addresses, usually in reference to addresses in memory.
This represents a list of items, which can be access by an index, which is zero-based (meaning the first element has index 0). Items in arrays are almost always the same size (it is not a generic list, as in python) even if they are pointers to different sized objects.
- Data Layer
A group of bytes, where each byte can be addressed by a specific offset. Data layers are usually contiguous chunks of data.
The act of taking the value of a pointer, and using it as an offset to another object, as a reference.
This the grouping for input values for a mapping or mathematical function.
- Map, mapping
A mapping is a relationship between two sets (where elements of the Domain map to elements of the Range). Mappings can be seen as a mathematical function, and therefore volatility 3 attempts to use mathematical functional notation where possible. Within volatility a mapping is most often used to refer to the function for translating addresses from a higher layer (domain) to a lower layer (range). For further information, please see Function (mathematics) in wikipedia https://en.wikipedia.org/wiki/Function_(mathematics)
This has a specific meaning within computer programming (as in Object Oriented Programming), but within the world of Volatility it is used to refer to a type that has been associated with a chunk of data, or a specific instance of a type. See also Type.
A numeric value that identifies a distance within a group of bytes, to uniquely identify a single byte, or the start of a run of bytes. An offset is often relative (offset from another object/item) but can be absolute (offset from the start of a region of data).
Structures are often aligned meaning that the various members (subtypes) are always aligned at particular values (usually multiples of 2, 4 or 8). Thus if the data used to represent a particular value has an odd number of bytes, not a multiple of the chosen number, there will be padding between it and the next member. In packed structs, no padding is used and the offset of the next member depends on the length of the previous one.
Data that (usually) contains no useful information. The typical value used for padding is 0 (sometimes called a null byte). As an example, if a string object that has been allocated a particular number of bytes, actually contains fewer bytes, the rest of the data (to make up the original length) will be padded with null (0) bytes.
A specific chunk of contiguous data. It is an organizational quantity of memory (usually 0x1000, or 4096 bytes). Pages, like pages in a book, make up the whole, but allow for specific chunks to be allocated and used as necessary. Operating systems uses pages as a means to have granular control over chunks of memory. This allows them to be reordered and reused as necessary (without having to move large chunks of data around), and allows them to have access controls placed upon them, limiting actions such as reading and writing.
- Page Table
A table that points to a series of pages. Each page table is typically the size of a single page, and page tables can point to pages that are in fact other page tables. Using tables that point to tables, it’s possible to use them as a way to map a particular address within a (potentially larger, but sparsely populated) virtual space to a concrete (and usually contiguous) physical space, through the process of mapping.
A value within memory that points to a different area of memory. This allows objects to contain references to other objects without containing all the data of the other object. Following a pointer is known as dereferencing a pointer. Pointers are usually the same length as the maximum address of the address space, since they should be able to point to any address within the space.
This is the set of the possible output values for a mapping or mathematical function.
- Struct, Structure
A means of containing multiple different type associated together. A struct typically contains other type, usually aligned (unless packing is involved). In this way the members of a type can be accessed by finding the data at the relative offset to the start of the structure.
This is used in many different contexts, as a short term for many things. Within Volatility, a symbol is a construct that usually encompasses a specific type type at a specific offset, representing a particular instance of that type within the memory of a compiled and running program. An example would be the location in memory of a list of active tcp endpoints maintained by the networking stack within an operating system.
Within volatility 3, the term template applies to a type that has not yet been instantiated or linked to any data or a specific location within memory. Once a type has been tied to a particular chunk of data, it is called an object.
- Translation Layer
This is a type of data layer which allows accessing data from lower layers using addresses different to those used by the lower layers themselves. When accessing data in a translation layer, it translates (or maps) addresses from its own address space to the address space of the lower layer and returns the corresponding data from the lower layer. Note that multiple addresses in the higher layer might refer to the same address in the lower layer. Conversely, some addresses in the higher layer might have no corresponding address in the lower layer at all. Translation layers most commonly handle the translation from virtual to physical addresses, but can be used to translate data to and from a compressed form or translate data from a particular file format into another format.
This is a structure definition of multiple elements that expresses how data is laid out. Basic types define how the data should be interpreted in terms of a run of bits (or more commonly a collection of 8 bits at a time, called bytes). New types can be constructed by combining other types at specific relative offsets, forming something called a struct, or by repeating the same type, known as an array. They can even contain other types at the same offset depending on the data itself, known as Unions. Once a type has been linked to a specific chunk of data, the result is referred to as an object.
A union is a type that can hold multiple different subtypes, whose relative offsets specifically overlap. A union is a means for holding multiple different types within the same size of data, the relative offsets of the types within the union specifically overlap. This means that the data in a union object is interpreted differently based on the types of the union used to access it.