| Windows 8下基于镜像文件的内存取证研究 |
| |
| 引用本文: | 向涛,苟木理. Windows 8下基于镜像文件的内存取证研究[J]. 计算机工程与应用, 2013, 49(19): 63-67 |
| |
| 作者姓名: | 向涛 苟木理 |
| |
| 作者单位: | 重庆大学 计算机学院,重庆 400044 |
| |
| 基金项目: | 国家自然科学基金(No.61103211);中国博士后科学基金特别资助(No.201104302);中央高校基本科研业务经费面上项目(No.CDJZR10180020)。 |
| |
| 摘 要: | 内存取证是计算机取证的一个重要分支,而获取内存镜像文件中进程和线程信息是内存取证技术的重点和难点。基于微软最新操作系统平台Windows 8,研究其进程和线程的获取方法。运用逆向工程分析技术对Windows 8下进程和线程相关内核数据结构进行分析,提取出相应特征;基于这些特征,提出了一种能够从物理内存镜像文件中得到系统当前进程和线程信息的算法。实验结果和分析表明,该算法能够成功提取隐藏进程和非隐藏进程,及其各进程相关的线程信息,为内存取证分析提供了可靠的数据基础。
|
| 关 键 词: | 内存取证 Windows8 进程 线程 物理内存分析 |
Memory forensics based on Windows 8 physical memory dumps |
| |
| XIANG Tao , GOU Muli. Memory forensics based on Windows 8 physical memory dumps[J]. Computer Engineering and Applications, 2013, 49(19): 63-67 |
| |
| Authors: | XIANG Tao GOU Muli |
| |
| Affiliation: | College of Computer Science, Chongqing University, Chongqing 400044, China |
| |
| Abstract: | Memory forensics is a branch of importance in computer forensics, and searching for processes and threads in physical memory dumps is crucial and challenging for memory forensics. This paper investigates the searching of processes and threads in physical memory dumps based on the latest Microsoft operation system Windows 8. By utilizing reverse engineering techniques, the kernel data structures regarding processes and threads on Windows 8 are explored, and their features are identified. Based on these features, an algorithm is proposed for searching processes and threads in Windows 8 physical memory dumps. Experimental results and their analysis indicate that it is capable of extracting information about hidden and non-hidden processes and their threads successfully, thereby providing reliable data foundation for further analysis in memory forensics. |
| |
| Keywords: | memory forensics Windows 8 process thread physical memory analysis |
| 本文献已被 万方数据 等数据库收录! |
| 点击此处可从《计算机工程与应用》浏览原始摘要信息 |
|
点击此处可从《计算机工程与应用》下载全文 |
