Unlock instant, AI-driven research and patent intelligence for your innovation.

Method for analyzing dormant data of Windows operating system

An operating system and data technology, applied in electrical digital data processing, boot program, program control design, etc., can solve the problem of undisclosed analysis of Windows operating system hibernation data technical solution and other problems

Active Publication Date: 2019-04-16
SICHUAN QIAODUOTIANGONG PRECISION EQUIP CO LTD
View PDF4 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] In the prior art, memory forensics tools such as Volatility and Rekall can analyze the dormant data of the Windows operating system, but no specific technical solutions for analyzing the dormant data of the Windows operating system have been disclosed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for analyzing dormant data of Windows operating system
  • Method for analyzing dormant data of Windows operating system
  • Method for analyzing dormant data of Windows operating system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0033] The present invention will be further elaborated below in conjunction with the accompanying drawings and embodiments. like figure 1 Shown, method of the present invention comprises the following steps:

[0034] S001: import the dormancy file hiberfil.sys of Windows operating system;

[0035] S002: judge whether the dormancy file hiberfil.sys of Windows operating system is the version below Windows 8 operating system, if yes, execute step S005, otherwise execute step S003, concrete steps include:

[0036] S0021: figure 2 A schematic diagram of the data structure of the header structure in the embodiment of the present invention is shown, and the value of the signature field Signature in the header structure _IMAGE_XPRESS_HEADER is read;

[0037] S0022: Determine whether the value of the signature field Signature in the header structure _IMAGE_XPRESS_HEADER is equal to \x81\x81xpress, if yes, execute step S005, otherwise execute step S003.

[0038] S003: analyze the ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for analyzing dormant data of a Windows operating system. The method is characterized by comprising the following steps: S001, importing a dormant file of the Windowsoperating system; S002, judging whether the dormant file of the Windows operating system is a version below the Windows 8 operating system or not, if so, executing the step S005, and if not, executingthe step S003; S003, analyzing a dormant file of the Windows operating system, obtaining a first guide recovery page and a first kernel recovery page, and obtaining offset addresses of respective recovery sets; S004, analyzing the recovery set and obtaining data of the compression set, and ending the process; S005, dormancy data of the Windows operating system are extracted; And S006, obtaining and analyzing the compressed block of the dormant data of the Windows operating system.

Description

technical field [0001] The invention belongs to the field of electronic evidence collection, and in particular relates to a method for analyzing dormant data of a Windows operating system. Background technique [0002] Starting from Windows 2000, Microsoft has used a new method that allows the Windows operating system to save the current operating state of the system when the power is about to be turned off. The data is saved to the system file hiberfil.sys on disk. When the computer is turned on again and started, the system operating state when the power was turned off last time can be restored from the system file hiberfil.sys on the disk. [0003] Since the Windows operating system hibernation data stores the volatile data of the entire memory, it is a good source of information for electronic forensics. [0004] In the prior art, memory forensics tools such as Volatility and Rekall can analyze the dormancy data of the Windows operating system, but no specific technica...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F11/34G06F9/4401
CPCG06F9/4418G06F11/3476
Inventor 梁效宁朱星海韩勇许超明吕靓婷
Owner SICHUAN QIAODUOTIANGONG PRECISION EQUIP CO LTD