Unlock instant, AI-driven research and patent intelligence for your innovation.

A method of extracting dormancy data of windows operating system

An operating system and data technology, applied in the direction of electrical digital data processing, instrumentation, error detection/correction, etc., can solve the undisclosed technical solution of extracting Windows operating system dormant data, etc.

Active Publication Date: 2021-07-27
SICHUAN QIAODUOTIANGONG PRECISION EQUIP CO LTD
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] In the prior art, memory forensics tools such as Volatility and Rekall can analyze the dormant data of the Windows operating system, but no specific technical solutions for extracting the dormant data of the Windows operating system have been disclosed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method of extracting dormancy data of windows operating system
  • A method of extracting dormancy data of windows operating system
  • A method of extracting dormancy data of windows operating system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0042] The present invention will be further elaborated below in conjunction with the accompanying drawings and embodiments. like figure 1 Shown, method of the present invention comprises the following steps:

[0043] S100: read the status value of the signature field Signature of the system file hiberfil.sys: as figure 2 A schematic diagram of the data structure of the system file hiberfil.sys in the hibernation state in one embodiment of the present invention is shown. like figure 2 As shown, take the offset address 0x0000 of the system file hiberfil.sys as the head address, and read the content with a byte length of 0x1000 as the structure of the storage image PO_MEMORY_IMAGE of the page object, which includes the signature field Signature and the address of the home table FTP FirstTablePage ;like figure 2 As shown, the status value of the signature field Signature is the character HIBR stored in ASCII format, which means hibernation; the address FirstTablePage of th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for extracting Windows operating system dormancy data, which is characterized in that it comprises the following steps: S100: read the state value of the signature field Signature of the system file hiberfil.sys; S200: judge the state value of the signature field Signature Whether it is dormancy, if yes, execute step S300, otherwise execute step S500; S300: obtain the structure of the storage image PO_MEMORY_IMAGE of the page object under the dormancy state; S400: obtain the front page table FTP of the storage image PO_MEMORY_IMAGE of the page object under the dormancy state, Execute step S700; S500: determine whether the status value of the signature field Signature is awake, if yes, execute step S600, otherwise end the process; S600: obtain the home page table FTP under the awake state; S700: obtain the storage range array of the page object _PO_MEMORY_RANGE_ARRAY structure; S800: determine whether the storage range array _PO_MEMORY_RANGE_ARRAY of the page object is empty, if yes, end the process, otherwise execute step 900; S900: obtain the data set XPRESS set, obtain and address the next page object To store the starting address of the range array _PO_MEMORY_RANGE_ARRAY, execute step S700.

Description

technical field [0001] The invention belongs to the field of electronic evidence collection, and in particular relates to a method for extracting dormancy data of a Windows operating system. Background technique [0002] Starting from Windows 2000, Microsoft has used a new method that allows the Windows operating system to save the current operating state of the system when the power is about to be turned off. The data is saved to the system file hiberfil.sys on disk. When the computer is turned on again and started, the system operating state when the power was turned off last time can be restored from the system file hiberfil.sys on the disk. [0003] Since the Windows operating system hibernation data stores the volatile data of the entire memory, it is a good source of information for electronic forensics. [0004] In the prior art, memory forensics tools such as Volatility and Rekall can analyze the dormancy data of the Windows operating system, but no specific techni...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F11/34G06F9/4401
CPCG06F9/4418G06F11/3476
Inventor 梁效宁朱星海韩勇许超明吕靓婷
Owner SICHUAN QIAODUOTIANGONG PRECISION EQUIP CO LTD