Obtaining forensic value from the cbWndExtra structures as used by Windows Common Controls, specifically for the Editbox control. (March 2017)
- Record Type:
- Journal Article
- Title:
- Obtaining forensic value from the cbWndExtra structures as used by Windows Common Controls, specifically for the Editbox control. (March 2017)
- Main Title:
- Obtaining forensic value from the cbWndExtra structures as used by Windows Common Controls, specifically for the Editbox control
- Authors:
- Bridge, Adam
- Abstract:
- Abstract: The Windows Common Controls is a library which facilitates the construction of GUI controls commonly used by Windows applications. Each control is an extension of the basic 'window' class. The difference in the extension results in one control over another; for example, an Edit control as opposed to a Button control. The basic window class is documented by Microsoft and the generic information about a Window can be extracted, but this is of very limited use. There is no documentation and very little research into how these extensions are laid out in memory. This paper demonstrates how the extension bytes for the Edit control can be parsed leading to identification of previously unobtainable data which reveal information about the state of the control at runtime. Most notably, the undo buffer, that is, text that was previously present in the control can be recovered – an aspect which traditional disk forensics would simply not provide. The paper explains why previous attempts to achieve similar goals have failed, and how the technique could be applied to any control from the Windows Common Controls library.
- Is Part Of:
- Digital investigation. Volume 20(2016)
- Journal:
- Digital investigation
- Issue:
- Volume 20(2016)
- Issue Display:
- Volume 20, Issue 2016 (2016)
- Year:
- 2016
- Volume:
- 20
- Issue:
- 2016
- Issue Sort Value:
- 2016-0020-2016-0000
- Page Start:
- 54
- Page End:
- 60
- Publication Date:
- 2017-03
- Subjects:
- Windows Common Controls -- Digital forensics -- Microsoft windows -- Volatile memory -- Memory forensics -- cbwndextra -- Editbox -- wndclassex
Forensic sciences -- Data processing -- Periodicals
Criminal investigation -- Data processing -- Periodicals
363.250285 - Journal URLs:
- http://www.sciencedirect.com/science/journal/17422876 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.diin.2017.02.007 ↗
- Languages:
- English
- ISSNs:
- 1742-2876
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3588.396620
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 166.xml