Research And Application Of Memory Forensics Technology

With the rapid development of computer and network technology, greatly improvethe speed of the development of modern society, but it also brings a lot of computercrime, and intensified the trend. Computer forensics technology has become the mainmethods in restoring the process of computer crime, which can give a severe blow to thecriminals. However, the hacking technology development lead to that effectivecomputer crime evidence is difficult to obtain through traditional offline analysismethod. More and more malicious code using a variety of ways to hide themselves, andit will not even leave any useful data on the hard disk. The forensics of volatile data isbecoming increasingly important, so memory forensics technology have emerged.Memory forensics technology is not mature enough, and there is not a particularlyeffective forensic method, including the method of extracting the complete memoryimage file from a living system, and the evidence extraction method after the memorymirroring data. Finding useful evidence from vast amounts of data is very difficult inmemory image file. After successfully acquire physical memory image file, the generalprocess is looking up the key string, for to obtain the account information, the documentdata and the like. Although the method can obtain some useful information, it cannotprovide the context information and it is unknown which process the matched stringbelongs to. This method is not valid for memory data which has been encoded orencrypted. Based on the above issues some research was been done on memoryforensics technology in this thesis. The results obtained are as follows:1. In this thesis, process summary data extraction method from the memory imagefile and module traversal method for a single process was researched base on conductedin-depth analysis of the corresponding process kernel structure. Through the use ofmemory-mapped file technology, memory image file process summary data extractionmethod has been improved greatly shorten the extraction time. Then through a detailedanalysis of the existing process hiding techniques, classified these process hidingtechniques in the point of view of physical memory and proposed correspondingdetection methods for these categories. 2. After extracting the process summary information, in this thesis the way processheap data is organized in memory was analyzed, heap data extraction method for asingle process was proposed. Meanwhile, in order to ensure the integrity of the processmemory data, proposed the extraction method of the page file by analyzing the NTFSfile system.3. How to extract useful evidence from the process memory data has beenresearched in this thesis. Specific memory data was analyzed, including unencryptedmemory data and encrypted memory data which through the XOR operation or base64encryption method and PDF documents is also been analyzed. Based on these results,several methods of searching memory data are proposed.4. Base on the research of memory forensics technology and the validation ofanalysis methods, proposed the application scenarios of memory forensics technologiesin computer forensics. Through specific examples analyzed the process of directmemory forensics and auxiliary malicious code detection.