There are many terms when talking about memory forensics, this list hopes to define the common ones and provide some commonality on how to refer to particular ideas within the field.
- Address Space
This is the name in volatility 2 for what's referred to as a
Translation Layer<translation layer>
. It encompasses all values that can be addresses, usually in reference to addresses in memory.
- Alignment
This value is what all data
offsets<offset>
will typically be a multiple of within atype<type>
.
- Array
This represents a list of items, which can be access by an index, which is zero-based (meaning the first element has index 0). Items in arrays are almost always the same size (it is not a generic list, as in python) even if they are
pointers<pointer>
to different sized objects.
- Data Layer
A group of bytes, where each byte can be addressed by a specific offset. Data layers are usually contiguous chunks of data.
- Dereference
The act of taking the value of a pointer, and using it as an offset to another object, as a reference.
- Domain
This the grouping for input values for a mapping or mathematical function.
- Map, mapping
A mapping is a relationship between two sets (where elements of the
Domain<domain>
map to elements of theRange<range>
). Mappings can be seen as a mathematical function, and therefore volatility 3 attempts to use mathematical functional notation where possible. Within volatility a mapping is most often used to refer to the function for translating addresses from a higher layer (domain) to a lower layer (range). For further information, please see Function (mathematics) in wikipedia https://en.wikipedia.org/wiki/Function_(mathematics)
- Member
The name of subcomponents of a type, similar to attributes of objects in common programming parlance. These are usually recorded as
offset<offset>
andtype<type>
pairs within astructure<struct>
.
- Object
This has a specific meaning within computer programming (as in Object Oriented Programming), but within the world of Volatility it is used to refer to a type that has been associated with a chunk of data, or a specific instance of a type. See also
Type<type>
.
- Offset
A numeric value that identifies a distance within a group of bytes, to uniquely identify a single byte, or the start of a run of bytes. An offset is often relative (offset from another object/item) but can be absolute (offset from the start of a region of data).
- Packed
Structures are often
aligned<alignment>
meaning that the various members (subtypes) are always aligned at particular values (usually multiples of 2, 4 or 8). Thus if the data used to represent a particular value has an odd number of bytes, not a multiple of the chosen number, there will bepadding<padding>
between it and the next member. In packed structs, no padding is used and the offset of the next member depends on the length of the previous one.
- Padding
Data that (usually) contains no useful information. The typical value used for padding is 0 (sometimes called a null byte). As an example, if a string
object<object>
that has been allocated a particular number of bytes, actually contains fewer bytes, the rest of the data (to make up the original length) will be padded with null (0) bytes.
- Page
A specific chunk of contiguous data. It is an organizational quantity of memory (usually 0x1000, or 4096 bytes). Pages, like pages in a book, make up the whole, but allow for specific chunks to be allocated and used as necessary. Operating systems uses pages as a means to have granular control over chunks of memory. This allows them to be reordered and reused as necessary (without having to move large chunks of data around), and allows them to have access controls placed upon them, limiting actions such as reading and writing.
- Page Table
A table that points to a series of
pages<page>
. Each page table is typically the size of a single page, and page tables can point to pages that are in fact other page tables. Using tables that point to tables, it's possible to use them as a way to map a particular address within a (potentially larger, but sparsely populated) virtual space to a concrete (and usually contiguous) physical space, through the process ofmapping<map>
.
- Pointer
A value within memory that points to a different area of memory. This allows objects to contain references to other objects without containing all the data of the other object. Following a pointer is known as
dereferencing<dereference>
a pointer. Pointers are usually the same length as the maximum address of the address space, since they should be able to point to any address within the space.
- Range
This is the set of the possible output values for a mapping or mathematical function.
- Struct, Structure
A means of containing multiple different
type<types>
associated together. A struct typically contains othertype<types>
, usuallyaligned<alignment>
(unlesspacking<packed>
is involved). In this way themembers<member>
of a type can be accessed by finding the data at the relativeoffset<offset>
to the start of the structure.
- Symbol
This is used in many different contexts, as a short term for many things. Within Volatility, a symbol is a construct that usually encompasses a specific type
type<Type>
at a specfificoffset<Offset>
, representing a particular instance of that type within the memory of a compiled and running program. An example would be the location in memory of a list of active tcp endpoints maintained by the networking stack within an operating system.
- Template
Within volatility 3, the term template applies to a
type<Type>
that has not yet been instantiated or linked to any data or a specific location within memory. Once a type has been tied to a particular chunk of data, it is called anobject<Object>
.
- Translation Layer
This is a type of data layer which allows accessing data from lower layers using addresses different to those used by the lower layers themselves. When accessing data in a translation layer, it translates (or
maps<Map>
) addresses from its ownaddress space<Address Space>
to the address space of the lower layer and returns the corresponding data from the lower layer. Note that multiple addresses in the higher layer might refer to the same address in the lower layer. Conversely, some addresses in the higher layer might have no corresponding address in the lower layer at all. Translation layers most commonly handle the translation from virtual to physical addresses, but can be used to translate data to and from a compressed form or translate data from a particular file format into another format.
- Type
This is a structure definition of multiple elements that expresses how data is laid out. Basic types define how the data should be interpreted in terms of a run of bits (or more commonly a collection of 8 bits at a time, called bytes). New types can be constructed by combining other types at specific relative offsets, forming something called a
struct<Struct>
, or by repeating the same type, known as anarray<Array>
. They can even contain other types at the same offset depending on the data itself, known asUnions<Union>
. Once a type has been linked to a specific chunk of data, the result is referred to as anobject<object>
.
- Union
A union is a type that can hold multiple different subtypes, whose relative offsets specifically overlap. A union is a means for holding multiple different types within the same size of data, the relative offsets of the types within the union specifically overlap. This means that the data in a union object is interpreted differently based on the types of the union used to access it.