{"title":"windows 7 × 64内存取证的新方法","authors":"G. S. Suma, Dija S, Thomas K L","doi":"10.1109/ICCIC.2014.7238400","DOIUrl":null,"url":null,"abstract":"Due to the ever increasing growth rate of malwares, Memory Forensics has become unavoidable in a cyber crime investigation. This is because physical memory may contain crucial information that is available nowhere in the system hard disk. Memory Forensics deals with collection of forensically sound evidence from physical memory content of Suspect's system. This is a fast growing and challenging field in computer forensics where a live forensic methodology is adopted in order to acquire physical memory content. Analysis of the collected memory dump is very difficult due to the complex data structures in it, especially in Windows ×64 systems. Also, the complexity involved in 64-bit address translation makes the analysis tougher. This translation can be done only after finding an artifact called Directory Table Base (DTB). Even though there are few methods available for finding DTB, none is efficient for adopting in a memory analysis tool. In this paper, a novel methodology for finding DTB in a 64-bit Windows system is described in detail. The paper also explains algorithms for retrieving forensically relevant information like running processes and its associated details from physical memory dump collected from Windows7 × 64 machines.","PeriodicalId":187874,"journal":{"name":"2014 IEEE International Conference on Computational Intelligence and Computing Research","volume":"943 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"A novel methodology for windows 7 × 64 memory forensics\",\"authors\":\"G. S. Suma, Dija S, Thomas K L\",\"doi\":\"10.1109/ICCIC.2014.7238400\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Due to the ever increasing growth rate of malwares, Memory Forensics has become unavoidable in a cyber crime investigation. This is because physical memory may contain crucial information that is available nowhere in the system hard disk. Memory Forensics deals with collection of forensically sound evidence from physical memory content of Suspect's system. This is a fast growing and challenging field in computer forensics where a live forensic methodology is adopted in order to acquire physical memory content. Analysis of the collected memory dump is very difficult due to the complex data structures in it, especially in Windows ×64 systems. Also, the complexity involved in 64-bit address translation makes the analysis tougher. This translation can be done only after finding an artifact called Directory Table Base (DTB). Even though there are few methods available for finding DTB, none is efficient for adopting in a memory analysis tool. In this paper, a novel methodology for finding DTB in a 64-bit Windows system is described in detail. The paper also explains algorithms for retrieving forensically relevant information like running processes and its associated details from physical memory dump collected from Windows7 × 64 machines.\",\"PeriodicalId\":187874,\"journal\":{\"name\":\"2014 IEEE International Conference on Computational Intelligence and Computing Research\",\"volume\":\"943 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2014 IEEE International Conference on Computational Intelligence and Computing Research\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICCIC.2014.7238400\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE International Conference on Computational Intelligence and Computing Research","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCIC.2014.7238400","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A novel methodology for windows 7 × 64 memory forensics
Due to the ever increasing growth rate of malwares, Memory Forensics has become unavoidable in a cyber crime investigation. This is because physical memory may contain crucial information that is available nowhere in the system hard disk. Memory Forensics deals with collection of forensically sound evidence from physical memory content of Suspect's system. This is a fast growing and challenging field in computer forensics where a live forensic methodology is adopted in order to acquire physical memory content. Analysis of the collected memory dump is very difficult due to the complex data structures in it, especially in Windows ×64 systems. Also, the complexity involved in 64-bit address translation makes the analysis tougher. This translation can be done only after finding an artifact called Directory Table Base (DTB). Even though there are few methods available for finding DTB, none is efficient for adopting in a memory analysis tool. In this paper, a novel methodology for finding DTB in a 64-bit Windows system is described in detail. The paper also explains algorithms for retrieving forensically relevant information like running processes and its associated details from physical memory dump collected from Windows7 × 64 machines.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
