Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Modular computer forensic system and method based on hardware virtualization

A hardware virtualization and computer forensics technology, applied in hardware monitoring, software emulation/interpretation/simulation, program control devices, etc., it can solve the problem that the intrusion behavior cannot be reconstructed, the image cannot be guaranteed to contain the intrusion evidence, and it is time-consuming and difficult to implement. And other issues

Inactive Publication Date: 2015-03-11
NANJING UNIV
View PDF3 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

One of the disadvantages of this method is that memory acquisition requires a lot of time and space. In order to ensure the consistency of memory snapshots, it is necessary to stop the operation of the target machine, that is, a long downtime will affect the normal operation of important machines.
It is also very complicated to process a complete memory image in the analysis phase
In addition, due to the volatility of memory, it is impossible to ensure that the image contains intrusion evidence, and the time-consuming nature of image acquisition and analysis makes it difficult to implement frequent image-based evidence acquisition methods.
Based on the above reasons, most of the current intrusions that occur in the kernel cannot be reconstructed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Modular computer forensic system and method based on hardware virtualization
  • Modular computer forensic system and method based on hardware virtualization
  • Modular computer forensic system and method based on hardware virtualization

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0073] The present invention will be further described below in conjunction with the accompanying drawings.

[0074] The detailed operation process of this method is as follows: Figure 1-Figure 5 shown.

[0075] figure 1 Shown are the three life cycles of this method, including the startup phase, the running phase and the unloading phase. The initialization driver is used to deploy and uninstall the Forensics Platform in a running operating system.

[0076] This embodiment adopts the Intel VT technology, obtains the kernel authority of the operating system by initializing the driver at startup, calls the memory allocation function to allocate enough space for the operation of the virtual machine, and configures the VMCS structure to set the entire virtual machine. Then copy the running state of the current operating system to the Guest-State Area, and configure the event processing function of the forensics platform, each descriptor table, stack and registers in the Host-S...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a modular computer forensic system and method based on hardware virtualization. The modular computer forensic system comprises an initialization drive, a system control center, a system support module set and a forensic function module set. The method is based on the hardware virtualization technology, a light virtual machine is set up through the initialization drive when an operation system operates, the system control center supports a hardware virtual platform and manages all sub modules, and the system support module set supports all basic functions of the forensic module set. According to the method, interfaces of the forensic function module set are standardized, multiplexing and extension of the modules are supported, and forensic tools can focus on the core function, and a large amount of repetitive work is reduced; no codes of the target operation system need to be modified, performance losses are low, memory usage is less, a safe and credible real-time forensic foundation platform is set up, and convenience is brought to acquisition of the various forensic tools based on virtualization.

Description

technical field [0001] The invention relates to a method in the field of computer forensics, in particular to a computer modular real-time forensics system and method based on hardware virtualization. Background technique [0002] The purpose of computer forensics is to provide the traces left by the criminals on the computer as effective evidence to the court to combat computer and network crimes. One of the difficult issues is how to obtain evidence of intrusion in the first time and find the criminal program or perpetrator in the event of computer intrusion. The current method of forensics is mainly based on the method of obtaining first and then analyzing, that is, first obtaining the memory image, and then reconstructing the intrusion event from the image information to try to obtain evidence. One of the disadvantages of this method is that memory acquisition requires a lot of time and space. To ensure the consistency of memory snapshots, it is necessary to stop the op...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F11/30G06F9/455
Inventor 伏晓程盈心骆斌杨瑞阮豪
Owner NANJING UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products