This
paper describes the use of the Virtual Address Descriptor (VAD) tree
structure in Windows memory dumps to help guide forensic analysis of
Windows memory. We describe how to locate and parse the structure, and
show its value in breaking up physical memory into more manageable and
semantically meaningful units than can be obtained by simply walking the
page directory for the process. Several tools to display information
about the VAD tree and dump the memory regions it describes will also be
presented
