内存取证研究与进展

网络攻击内存化和网络犯罪隐遁化,使部分关键数字证据只存在于物理内存或暂存于页面交换文件中,这使得传统的基于文件系统的计算机取证不能有效应对.内存取证作为传统文件系统取证的重要补充,是计算机取证科学的重要组成部分,通过全面获取内存数据、详尽分析内存数据,并在此基础上提取与网络攻击或网络犯罪相关的数字证据,近年来,内存取证已赢得安全社区的持续关注,获得了长足的发展与广泛应用,在网络应急响应和网络犯罪调查中发挥着不可替代的作用.首先回顾了内存取证研究的起源和发展演化过程;其次介绍了操作系统内存管理关键机制;然后探讨了内存取证的数据获取和分析方法,归纳总结目前内存取证研究的最新技术;最后讨论了内存取证存在的问题、发展趋势和进一步的研究方向.

Research and Development of Memory Forensics

Cyber attacks and cybercrimes that run stealthy in computer memory make the traditional file system-based computer forensics tasks difficult to be carried out effectively, and thus become a serious security threat. As an important branch of computer forensics, memory forensics is an effective way to combat evasive cyber attacks and cybercrimes. It extracts the evidence of cyber attacks and cybercrimes by comprehensively obtaining and analyzing memory data left by attackers. In recent years, the memory forensics which has drawn sustained attention of the security community, and undergone rapid development with wide range of applications, plays an irreplaceable role in the network incident response and cybercrime investigations. This paper first reviews the origin and evolution processes of memory forensics research, followed by introduction of the key mechanism of operating system memory management. It then explores the memory data acquisition and analysis methods, and summarizes the latest memory forensics technology. The paper concludes with a discussion of the existing problems of current memory forensics, and outlook of the trends and further research directions of memory forensics.