There are various techniques (String Search, Signature, List Traversal, Kernel Object, etc.) to perform memory forensics. Among them, Kernel Object-based memory forensics techniques that utilize the object structure of the kernel are considered the most reliable. Kernel Object-based memory forensics techniques require prior knowledge of the object structure of the operating system kernel used in the memory dump. However, reverse engineering the kernel for a vast number of operating system versions and architectures to identify the object structure is labor- and time-consuming. To solve this problem, academic researchers have developed methods to efficiently identify the structure of various kernel objects. Various studies have been conducted to identify key features that kernel objects leave in memory, or to use automation technology. We will review these works and discuss what further research can be done and the challenges that need to be considered.
