| 基于Windows物理内存取证系统设计与实现 |
| |
| 引用本文: | 李炳龙,鲁越.基于Windows物理内存取证系统设计与实现[J].信息网络安全,2011(11):50-53. |
| |
| 作者姓名: | 李炳龙 鲁越 |
| |
| 作者单位: | 信息工程大学电子技术学院 |
| |
| 基金项目: | 国家自然科学基金[60903220] |
| |
| 摘 要: | 随着信息安全技术的快速发展,数字取证调查技术已经成为重要技术之一。由于物理内存中包含计算机操作的大量信息,针对物理内存的实时取证分析已成为当前数字犯罪调查领域中的热点研究问题之一。文章通过研究物理内存获取技术,内存进程管理模式,信息关键词搜索技术等相关技术背景,实现对Windows物理内存的镜像获取,内存中的隐藏进程和异常进程的检测,内存中敏感信息的检测分析三方面功能。通过对用户主机进行调查检测,掌握用户大量的操作行为和有用信息,为计算机犯罪取证调查和信息安全检查提供了一种很好的方法手段。
|
| 关 键 词: | 计算机取证 物理内存镜像 进程 EProcess 字符匹配 |
Forensic of Physical Memory Windows-based System Design and Implementation |
| |
| LI Bing-long,LU Yue.Forensic of Physical Memory Windows-based System Design and Implementation[J].Netinfo Security,2011(11):50-53. |
| |
| Authors: | LI Bing-long LU Yue |
| |
| Affiliation: | (Institute of Electronic Technology,Information Engineering University,Zhengzhou Henan 450004,China) |
| |
| Abstract: | Since the physical memory that contains a wealth of information of computer operations for real-time forensic analysis of physical memory,the current number of criminal investigations has become a hot research field of one of the issues.This access to technology by studying the physical memory,the memory process management model,keyword search technology and other related information technology background,to achieve the mirror of Windows physical memory,hidden processes and abnormal process detection,memory detection and analysis of sensitive information.Investigated by testing the user host,master user behavior and the operation of a large number of useful information for computer forensic investigations and information security protection provides a good means. |
| |
| Keywords: | computer forensics physical memory image process EProcess character match |
| 本文献已被 CNKI 维普 等数据库收录! |
|
