Research On Acquisition Of Physical Memory Image In Computer Forensics And Its Realization

With the development of information technology, computer and network are playing a more and more important role in social, political, economy and cultural areas, computer crimes in digital world are becoming serious issues consequently. Computer forensics is an essential approach to charging computer crimes and has become the common concern of study in the computer science and law field.The thesis introduces the current state and its development on computer forensics. It compares the current computer forensics mode, analyses the deficiency of the offline mode and indicates the necessity of researching online mode. Physical memory forensics is the important part of the online forensics and also the current research hotspot. The thesis aims at researching the acquisition of physical memory image in physical memory forensics. The current methods visit physical memory by opening PhysicalMemory kernel object in usermode. However, it is prohibited to visit kernel object in usermode under Windows 2003 , Vista ,and so on. It can be visited only by kernel drivers. So, it is necessary to develop drivers. The tools for obtaining physical memory image based on kernel driver developed in this thesis can resolve the unavailability of the current forensic tools as DD under Windows higher edition.To research physical memory, learning about the Windows memory management mechanism is necessary at first. Windows operating system using paged virtual memory management technology. The translation from virtual address to physical address is realized by establishing page mapping from virtual address space to physical address space. The translation is implemented by MMU. However, translating manually is needed for comparing and analyzing the experimental data. The past description of address translation based on x86 system mode. It is different from the popular XP system with PAE. The thesis offers address translation formula with Windows XP SP2 edition. Meanwhile, since plenty of relative documents relying on the technical data issued by Microsoft for several years, it is hard to explain how the virtual address of any process mapping to physical address space just by the view of virtual address space. The address translation is researched by the view of process and physical memory in this thesis. It is clearly shown that how to localize the virtual address space of any process in the physical address space. With Windows system structure, The thesis indicates the basic principle of visiting physical memory by kernel drivers. Based on the developing frame for drivers, kernel drivers and user program for acquiring physical memory image are developed to obtain physical memory image and the nuclear codes are offered. Then, the experiment results are analyzed.The acquisition of virtual memory file image is also important part of acquisition of physical memory image. Currently, there is no relative software. Because the pagefile.sys under XP is concealed file, it is necessary to locate this file on disk. Disk file system is expatiated in detail and modules using different methods for NTFS and FAT32 file system are designed.