This is version 0.30.00 of PTFinder. It is limited to parse memory dumps
obtained from systems running Microsoft Windows XP with Service Pack 2.
Please resort to the latest ptfinder-collection if you need support for
other OS versions.

At DFRWS 2006 and later there were several requests for XML output. This
is introduced in this experimental version. Thanks go to George Garner
for his help in defining the schema. The XML Schema Definition is
available from 
   http://computer.forensikblog.de/files/ptfinder/PTFinder.xsd

PTFinder is intended to identify _EPROCESS and _ETHREAD structures in
Windows memory dumps, but it does not analyze these structures. 
Consequently the schema contains only information needed to locate the
structures in a dump file, like file offset, Process ID and Thread ID.
It is left to other tools to compare their results with those of 
PTFinder or start an in-depth investigation at the specified locations.

By now the XML output of PTFinder is supported by GMG Systems, Inc. 
KnTList.

As usual, please send your suggestions and bug reports to
<bugs-ptfinder@forensikblog.de>

Andreas Schuster 
