Unlock instant, AI-driven research and patent intelligence for your innovation.

A method for parsing dormancy data of windows operating system

An operating system and data technology, applied in electrical digital data processing, instrumentation, error detection/correction, etc., can solve undisclosed technical solutions for analyzing Windows operating system dormancy data, etc.

Active Publication Date: 2022-03-04
SICHUAN QIAODUOTIANGONG PRECISION EQUIP CO LTD
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] In the prior art, memory forensics tools such as Volatility and Rekall can analyze the dormant data of the Windows operating system, but no specific technical solutions for analyzing the dormant data of the Windows operating system have been disclosed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method for parsing dormancy data of windows operating system
  • A method for parsing dormancy data of windows operating system
  • A method for parsing dormancy data of windows operating system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0033] The present invention will be further elaborated below in conjunction with the accompanying drawings and embodiments. Such as figure 1 Shown, method of the present invention comprises the following steps:

[0034] S001: import the dormancy file hiberfil.sys of Windows operating system;

[0035] S002: judge whether the dormancy file hiberfil.sys of Windows operating system is the version below Windows 8 operating system, if yes, execute step S005, otherwise execute step S003, concrete steps include:

[0036] S0021: figure 2 A schematic diagram of the data structure of the header structure in the embodiment of the present invention is shown, and the value of the signature field Signature in the header structure _IMAGE_XPRESS_HEADER is read;

[0037] S0022: Determine whether the value of the signature field Signature in the header structure _IMAGE_XPRESS_HEADER is equal to \x81\x81xpress, if yes, execute step S005, otherwise execute step S003.

[0038] S003: analyze t...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for analyzing the dormancy data of the Windows operating system, which is characterized in that it comprises the following steps: S001: importing the dormancy file of the Windows operating system; S002: judging whether the dormancy file of the Windows operating system is a Windows 8 operating system The following versions, if yes, execute step S005, otherwise execute step S003; S003: analyze the dormancy file of the Windows operating system, obtain the first boot recovery page and the first kernel recovery page, and obtain the offset addresses of respective recovery sets; S004: analyze the recovery set and obtain the data of the compressed set, and end the process; S005: extract the dormancy data of the Windows operating system; S006: obtain and analyze the compressed block of the dormancy data of the Windows operating system.

Description

technical field [0001] The invention belongs to the field of electronic evidence collection, and in particular relates to a method for analyzing dormant data of a Windows operating system. Background technique [0002] Starting from Windows 2000, Microsoft has used a new method that allows the Windows operating system to save the current operating state of the system when the power is about to be turned off. The data is saved to the system file hiberfil.sys on disk. When the computer is turned on again and started, the system operating state when the power was turned off last time can be restored from the system file hiberfil.sys on the disk. [0003] Since the Windows operating system hibernation data stores the volatile data of the entire memory, it is a good source of information for electronic forensics. [0004] In the prior art, memory forensics tools such as Volatility and Rekall can analyze the dormancy data of the Windows operating system, but no specific technica...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F11/34G06F9/4401
CPCG06F9/4418G06F11/3476
Inventor 梁效宁朱星海韩勇许超明吕靓婷
Owner SICHUAN QIAODUOTIANGONG PRECISION EQUIP CO LTD