The VAD tools are a set of scripts for working with Virtual Address Descriptor structures in dumps of Windows physical memory to provide detailed information about a process's memory allocations to a forensic investigator.

These tools are a prototype implementation of the research described in The VAD Tree: A Process-Eye View of Physical Memory, which will be published at the 2007 Digital Forensics Research Workshop. They should not, in their current state, be considered a robust, production-ready implementation, but they are already quite useful for extracting information about process memory allocations from raw memory dumps.


The current version, 0.1, can be downloaded from the SourceForge project page.


Documentation on the tools is available in the README. An explanation of the format of the Virtual Address Descriptor data structure is also available. Finally, a copy of a paper describing the use of the VAD tree in forensic investigations will appear here once it is published.


I have released these tools into the public domain; no copyright is asserted on them. My hope is that someone will find the ideas useful and incorporate them into their own work.


As the tools are still essentially prototypes, there are several areas in which they currently lack:

I doubt I will have time to fix these in the near future, so contributions in the form of code would be greatly appreciated!


The tools, documentation, and this web page were written by Brendan Dolan-Gavitt.