computer-forensics

abnormalities in windows threads, attached process and owned process


So I am doing some memory analysis on a windows memory image and I am looking at threads spawned by processes.

the tool I am using is volatility.

So I was checking the threads spawned by an explorer process. my question is, does a thread always have to have 1) owned process and 2) attached process.

I caught an explorer thread that has an Owned process: Explorer.exe but the Attached Process does not have a name. The process with no name has an associated address in memory.

Is this normal for a thread to have an attached process with no name? Also what is the difference between an owned process and attached process?

Thanks for looking.


Solution

  • An AttachedProcess search finds "threads that are currently executing in the context of a process other than the process which owns the thread" (from https://code.google.com/p/volatility/wiki/CommandReference).

    This article will explain this for you: http://mnin.blogspot.com/2011/04/investigating-windows-threads-with.html

    There is an entire section on attached processes and their implications in memory analysis.