Computer memory forensics method and device and memory forensics analysis system

Abstract

The invention provides a computer memory forensics method and device and a memory forensics analysis system. The method comprises the steps: providing a target computer, inserting a memory evidence obtaining device into the target computer to obtain access to the physical address of the target computer; providing an evidence obtaining computer, wherein the evidence obtaining computer is connectedwith the memory evidence obtaining equipment through an external interface arranged on the memory evidence obtaining equipment; arranging an acquisition and control module on the evidence obtaining computer; sending an acquisition instruction to the memory evidence obtaining equipment through the acquisition and control module; enabling the memory evidence obtaining equipment to receive the acquisition instruction to read physical memory data of the target computer, and transmitting the read physical memory data to the acquisition and control module through the external interface unit; enabling the acquisition and control module to receive the physical memory data read by the memory forensics device and store the physical memory data as a binary file. The invention further provides a device for the method and an analysis system for the read physical memory data.

Description

technical field [0001] The invention relates to the field of computer technology, in particular to a computer memory forensics technology, specifically a computer memory forensics method, equipment and memory forensics analysis system. Background technique [0002] With the rapid development of Internet technology and the rapid popularization of various Internet applications, information technology has been widely used in various fields of social life and production. The whole society and production are increasingly dependent on information technology, so information security is becoming more and more important. be valued. From personal computers to servers, certain security protection measures are adopted, such as anti-virus software, firewall, encryption software, data backup, etc. to protect personal and commercial data or equipment. However, computer intrusion incidents happen from time to time. In particular, there are some purposeful and targeted computer intrusion e...

AI Technical Summary

Problems solved by technology

For example, the publication number is: "CN103399830A" discloses a device for reading the physical memory of a computer through the PCI Express bus, including a USB controller, a PCI-E bridge controller, a power supply module and a clock module, and the power supply module and the clock module give USB control Device and PCI-E bridge controller provide power supply and clock pulse signal respectively; Described USB controller and PCI-E bridge controller are connected by CPLD logic device, and USB controller is provided with the USB interface that is connected with forensics computer, The PCI-E bridge controller is provided with a PCI Express interface connected to the target computer; the CPLD logic device is used to realize the data transmission between the USB controller and the PCI-E bridge controller, but in this technology, the memory needs to be The reading device is configured to connect to the target computer with a PCI-to-PCI bridge, and assign the PCI bus number and device number. The target computer assigns the PCI bus number and PCI device number to the memory reading device, and the target computer automatically loads the memory reading The device driver and configuration bypass the UMA address segment, bypass the UpperMemoryArea address segment in the target computer memory, and obtain the memory data of the target computer. The above-mentioned hardware reading method is currently only in some specific environments or conditions. subject to great restrictions

Images