A Memory Forensics Method Based on Kernel Object Link Relationship

A technology of kernel objects and link relationships, applied in memory systems, instruments, electrical and digital data processing, etc., can solve problems such as data corruption, achieve good accuracy, overcome uncertainty and slow speed

Active Publication Date: 2017-01-04
HANGZHOU DIANZI UNIV
View PDF5 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Some computer enthusiasts or hackers use various computer vulnerabilities, backdoors and malicious codes to invade computers, and some malicious intruders are likely to destroy data

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A Memory Forensics Method Based on Kernel Object Link Relationship
  • A Memory Forensics Method Based on Kernel Object Link Relationship
  • A Memory Forensics Method Based on Kernel Object Link Relationship

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0050] Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings, but are not limited thereto.

[0051] figure 1 It is a flow chart of a memory forensics method based on kernel object link relationship according to an embodiment of the present invention. Such as figure 1 As shown, a memory forensics method based on the link relationship of kernel objects according to an embodiment of the present invention includes: using DumpIt to obtain a memory image, using Windbg to debug the same version system of the system to be forensic or the forensics system to obtain the data structure of the system, and using the system data structure Get the relationship diagram between kernel objects, use the Magic Number of Eprocess to successfully locate its physical location in the memory mirror, use the relationship diagram between kernel objects to traverse all kernel objects in the system through the physical locatio...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a kernel object link relation based memory forensics method. The method includes the steps of acquiring a running memory image file by the operating system blue screen memory dump technology or memory dump tool software; acquiring data structures of kernel objects by a debugging tool Windbg; acquiring a link relation graph of the kernel objects according to the data structures of the kernel objects; using the Windbg to debug systems of the same version to obtain a magic number of the kernel object Eprocess and PoolTag of each kernel object; locating the data structure of the kernel object Eprocess in the memory image file by means of the magnetic number; gradually acquiring the information of the kernel objects in the systems according to the link relation graph obtained in the step 3 so that evidence collection for the memory systems is achieved. The kernel object link relation based memory forensics method is high in accuracy, efficiency and pertinence, and the problem that the traditional character string matching based memory forensics is uncertain and slow is solved.

Description

technical field [0001] The invention belongs to the field of computer forensics, in particular to the field of Ms-windows memory forensics, in particular to a memory forensics method based on the link relationship of kernel objects. Background technique [0002] The development of computer technology has greatly improved people's work efficiency, promoted economic and social development, and enriched people's spare time. As computer technology has brought huge benefits to society, computer crimes have also penetrated into all aspects of society. . According to the statistics of the US Federal Bureau of Investigation (FBI), in response to various computer crimes such as malicious codes, spyware, and computer viruses, US companies have invested as much as US$67.2 billion in information security. Some computer enthusiasts or hackers use various computer vulnerabilities, backdoors and malicious codes to invade computers, and some malicious intruders are likely to destroy data. ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56G06F12/1009G06F12/1036
CPCG06F12/109G06F21/566
Inventor 徐明肖涛徐建郑宁
Owner HANGZHOU DIANZI UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap