Research And Development Of Memory Forensics Tools

With the evolution of the information technology, computer and Internet hasbeen important components of almost every area of the modern social. They not onlyprovide convenience for a better life and working environment, but also been usedby criminals for illegal purpose. Computer Forensics Technology as one of theimportant means to against the computer crime should keep up with the deve lopmentof the computer crime technology.As an important component of computer forensics, computer live forensics isnot replaceable at many situations. At the meantime, as the most important part oflive forensics, computer memory forensics has become a research hotspot ofcomputer forensics. This paper researches on the technology and method to acquiresystem memory, including physical memory and virtual memory, form the runningsystem, and then develops two useful memory forensics tools. The two main aspectsof this paper are listed as following:1) Propose a process-frozen based physical memory forensics method, anddevelop a respective tool. Currently, many researches on physical memory forensicsare based on accessing kernel object directly under user mode. However, that methodis no longer suitable for the newer Windows Operating Systems, as process cantaccess kernel object under user mode. Based on the theory of accessing physicalmemory in Windows kernel driver and the special requirement of computer forensics,this paper proposes a new process-frozen based method for physical memoryforensics, and develops a tool based on that method, named PhyMmDumper.Comparing with win32dd and DumpIt, this tool shows a better performance.2) Propose a virtual memory forensics method based on Volume Shadow CopyService (VSS), and develop a respective tool. Most of the current computer forensicstools focus on acquiring and analyzing physical memory, while leaving theimportance of virtual memory or paging file. This paper analyzes the memorymanagement mechanism of Windows OSs and the methods and tools that can be used to acquire the paging file, and proposes a new virtual memory forensics methodwhich is based on VSS. The best adventure of this method is that VSS is provided byMicrosoft, so it has a higher credibility than those force copy tools. And theprocedural of this method is more consistent with the principle of computer forensics.Based on the method, this paper has developed a tool named PagefileCopy.Experiment shows that the tool can quickly copy the paging file from the runningsystem.Currently, both of the two memory forensics tools are tried on the ThirdResearch Institute of Ministry of Public Security, and gain a good user feedback.