| With the explosive growth of technology of information security and computer forensics, the methods and technology used by computer crimes are also changing rapidly. The methods are more and more imperceptible, malicious programs are going deeper into the OS kernel layer, and the places resided by them are more and more diverse, the conviction of computer crime has become increasingly difficult. The traditional computer forensics technology concentrates on static data in computer system, like hard disk, CD-ROM and so on which ignores a lot of potential evidence in main memory, new malicious programs often reside in BIOS, Firmware, PCI controller and cann’t be found in the file system. In additional, the capacity of hard disk is booming, which intensify the difficulty of analyzing file system data. After all, under current architecture of computer system, the main memory is where all programs are going to be executed in. Once executed in main memory, there will be evidence left. Compared to these weaknesses of traditional computer forensics, the memory forensics makes a lot of sense.This article is based on the Windows NT series operating system, which researchs the acquisition and analysis of main memory under this platform, to build a framework of acquiring and analyzing image for evidence. This article discusses the internal mechanism of Windows NT operating system and virtual memory management and concentrates upon the translation from virtual address to physical address under PAE mode, accessing core object and core data structures like KPCR, KDBG, EPROCESS and so on. This article combines theories and verification to show the process of address translation, accessing object’\Device\PhysicalMemory’and scanning-method for evidence. It proposals the method of acquiring memory image by kernel mode driver and a basic framework of memory image analysis. And at last, the author implements this system, and tests some of the functionality which have been achieved. |
PDF Full Text Request