Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method for extracting text data file from physical memory image

A technology of text data and memory mirroring, which is applied in the direction of electrical digital data processing, special data processing applications, instruments, etc., and can solve problems such as inability to extract data and inability to restore data

Active Publication Date: 2013-02-27
CHONGQING UNIV OF POSTS & TELECOMM
View PDF2 Cites 11 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] Like the command prompt and the clipboard, Notepad also saves a large amount of user data. However, the above methods can only obtain part of the information from the memory mirror file, and cannot accurately extract data from the memory mirror, and cannot restore damaged or deleted files. data

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for extracting text data file from physical memory image

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0036] The preferred embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings; it should be understood that the preferred embodiments are only for illustrating the present invention, rather than limiting the protection scope of the present invention. Such as figure 1 Shown is a schematic flow chart of text extraction in the present invention.

[0037] The invention provides a method for extracting text data files in a physical memory image, comprising the following steps:

[0038] S1: Initialize, obtain from the configuration file the starting virtual page number s of the virtual address space where the notepad process stores text data under the corresponding operating system, and the starting virtual address n of the virtual space where the text data size is stored, for example, if it is not enabled The result obtained under the Windows XP VOL version operating system in physical address extension mode is: s=0xaf, n...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for extracting a text data file from a physical memory image. The method comprises the following steps of: searching an eprocess structure of a notepad.exe progress by utilizing characteristic values of the eprocess structure and offset between the characteristic values, and acquiring a page directory base address of the progress; and acquiring text data description information and labeling information in memory, and accurately acquiring the text data in the notepad.exe progress through the principle of converting the address of an operating system. The method can be used for data recovery, data extraction, computer forensic and the like.

Description

technical field [0001] The invention relates to the fields of data security and memory forensics in the discipline of computer forensics, in particular to data recovery and a text information acquisition method in electronic data evidence. Background technique [0002] The organization of memory data is complex and changeable, and data analysis is very difficult. Most of the current research on memory forensics is aimed at system information. For example, Deutsche Telekom AG proposed how to extract process and thread information from memory mirroring in 2006; Dolan-Gavitt proposed how to extract process and thread information from memory mirroring in 2008. To extract registry information, Wang Lianhai proposed a method for locating process control blocks based on kpcr in 2009, and Okolica and Peterson proposed a method for extracting network connection information from memory mirroring in 2010. [0003] However, there are still few studies on how to extract user data from m...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F17/30G06F17/22
Inventor 陈龙康磊董振兴
Owner CHONGQING UNIV OF POSTS & TELECOMM
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products