Unlock instant, AI-driven research and patent intelligence for your innovation.

Method of extracting dormancy data of Windows operating system

An operating system and data technology, applied in the direction of electrical digital data processing, boot program, program control design, etc., can solve the undisclosed problems of extracting the dormant data technology scheme of the Windows operating system, etc.

Active Publication Date: 2018-11-16
SICHUAN QIAODUOTIANGONG PRECISION EQUIP CO LTD
View PDF4 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] In the prior art, memory forensics tools such as Volatility and Rekall can analyze the dormant data of the Windows operating system, but no specific technical solutions for extracting the dormant data of the Windows operating system have been disclosed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method of extracting dormancy data of Windows operating system
  • Method of extracting dormancy data of Windows operating system
  • Method of extracting dormancy data of Windows operating system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0047] The present invention will be further elaborated below in conjunction with the accompanying drawings and embodiments. Such as figure 1 Shown, method of the present invention comprises the following steps:

[0048] S100: read the status value of the signature field Signature of the system file hiberfil.sys: as figure 2 A schematic diagram of the data structure of the system file hiberfil.sys in the hibernation state in one embodiment of the present invention is shown. Such as figure 2 As shown, take the offset address 0x0000 of the system file hiberfil.sys as the head address, and read the content with a byte length of 0x1000 as the structure of the storage image PO_MEMORY_IMAGE of the page object, which includes the signature field Signature and the address of the home table FTP FirstTablePage ;Such as figure 2As shown, the status value of the signature field Signature is the character HIBR stored in ASCII format, which means hibernation; the address FirstTablePa...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method of extracting dormancy data of a Windows operating system. The method is characterized by including the following steps: S100, reading a status value of a signature field Signature of a system file hiberfil.sys; S200, judging whether the status value of the signature field Signature is dormancy, if yes, executing a step S300, and otherwise, executing a step S500; S300, acquiring a structure of a storage image PO_MEMORY_IMAGE of a page object under dormancy status; S400, acquiring a home page table FTP of the storage image PO_MEMORY_IMAGE of the page object under the dormancy status, and executing a step S700; S500, judging whether the status value of the signature field Signature is awaking, and if yes, executing a step S600, and otherwise, ending a process; S600, acquiring a home page FTP under awaking status; S700, acquiring a structure of a storage range array _PO_MEMORY_RANGE_ARRAY of the page object; S800, judging whether the storage range array _PO_MEMORY_RANGE_ARRAY of the page object is empty, if yes, ending the process, and otherwise, executing a step 900; and S900, acquiring a data set XPRESS set, acquiring and finding a starting address of a storage range array _PO_MEMORY_RANGE_ARRAY of a next page object, and executing the step S700.

Description

technical field [0001] The invention belongs to the field of electronic evidence collection, and in particular relates to a method for extracting dormancy data of a Windows operating system. Background technique [0002] Starting from Windows 2000, Microsoft has used a new method that allows the Windows operating system to save the current operating state of the system when the power is about to be turned off. The data is saved to the system file hiberfil.sys on disk. When the computer is turned on again and started, the system operating state when the power was turned off last time can be restored from the system file hiberfil.sys on the disk. [0003] Since the Windows operating system hibernation data stores the volatile data of the entire memory, it is a good source of information for electronic forensics. [0004] In the prior art, memory forensics tools such as Volatility and Rekall can analyze the dormancy data of the Windows operating system, but no specific techni...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F11/34G06F9/4401
CPCG06F9/4418G06F11/3476
Inventor 梁效宁朱星海韩勇许超明吕靓婷
Owner SICHUAN QIAODUOTIANGONG PRECISION EQUIP CO LTD