The Research And Implementation On Acquisition Of Memory Image In Computer Forensics

With the development of computer technology and the prevalent network, the new types of crimes by taking the computer information system as the objects and the tools of crime occur frequently, and it's getting more and more harmful. Hence, it's very important to solve the new question that the politics and law institutions attain the most extensive computer evidence of the computer-related crimes to penalize the offenders. Because the politics and law institutions lack necessary technology security and support to handle the high-tech crime, in order to enhance the abilities of attacking computer-related offences, computer forensics examiner should conduct an effective study on the field of computer forensics, and develop a lot of effective tools to cope with the need of modern society. Computer forensics, as an area of law and computer, currently becomes a focus of the attention of the study.The paper introduces the history, the current state and its development on computer forensics, then introduces Live Response. Computer evidence can be divided into two categories: volatile data and non-volatile data. Because the research and acquisition of the non-volatile are coped well, volatile data forensics has become increasingly prominent in forensic analysis and incident response. With the increasing sophistication of computer forensics tools, malware authors are turning to system memory as a final haven of safety from detection. As memory hiding techniques increase in prevalence, the importance of obtaining a physical memory image grows. Due to the need to load the memory capture program into the system's memory, the very act of taking the image changes the state.so we introduce Locard's exchange principle.In order to acquire a physical memory image, at first we need to study the process internals mechanism and the memory management mechanism of Windows operation system, and introduce Windows kernel process KPROCESS to understand the memory-related information. Because Windows operation system uses paged virtual memory management technology, if we want to acquire a physical memory image, we need realize the translation from virtual address to physical address, the translation is implemented by the memory manager. Since physical address extension(PAE) mode is proposed, the way of address translation changes. The paper introduces respectively PAE mode and non-PAE mode in particular, and illustrates the steps of the address translation. In some memory images up to 20% of all the virtual addresses in use point to so called"invalid"pages that can't be found using a native method for address translation. This paper enumerates the different states of invalid memory pages, and presents a more robust strategy for address translation. This new method incorporates invalid pages and even the paging file to greatly increase the completeness of the analysis. At the same time the paper introduces the relative knowledge of heap manager to develop the memory analysis software taken as a follow-up preparation.The paper aims at researching the acquisition of physical memory image, the current methods visit physical memory by opening PhysicalMemory kernel object in user mode. However, in order to security of the later versions of Windows, it is prohibited to visit kernel object in user mode, it can be visited only by kernel drivers.so this paper uses the scheme of visiting physical memory by kernel driver, and introduces a lot of Windows API functions, accordingly based on the above two factors, we develop the tool of acquiring physical memory image. When author studies the memory management mechanism of Windows operation system, author develops the memory analysis software to analysis the process and its memory in the future.