| Nowadays, the computer crime is increasingly rampant. The computer forensics technology can collect evidence of the computer crimes effectively and provide the data and key technologies support against the computer crimes for the judicial authority. The traditional computer forensics technology mainly acquires and analyzes the data stored in non-volatile storage. However, the computer crime is becoming much more specialized and organized, and besides, more and more computer attackers try to hide or delete the data generated during the attacking process. The traditional forensics process with analyzing the non-volatile data cannot get enough evidence since then. At the same time, both the popularization of encryption technology for computer disk data and the powerful storage capability of the computer disks challenge the traditional computer forensics technology. It’s time to adopt a new method to solve all these problems.Based on a large amount of references and materials, it expounds the background and the significance of the development of the memory forensics in this paper. A new definition is put forward according to the research on the characteristics of the computer forensics’development in this paper, as well as the operation mechanism of the computer memory. A model for memory forensics is designed which can be divided into five modules. The controller module is designed to control the whole process of the memory forensics. The system configuration module mainly provides with profiles and rules used in analysis of memory data. The memory acquisition module is used to acquire memory data and the memory analysis module analyzes the memory data to get the process list. The correlation analysis module gets correlation rules from the system configuration module and correlates the result of the analysis. The last one is designed to store the data acquired from the computer memory or generated during the analysis process. A summary about this model is also expounded as the end of this part. The realization of multiple modules of the memory forensics model follows, including the usage of the technologies to acquire and analyze the memory data. In addition to this, it realized the method to find the hidden or malicious processes based on the process list and the process base. After that, kinds of experiments are designed to verify the validity of the memory forensics model. The results get from the experiment show that this model can get complete memory data and process list using the technologies realized before. The correlation analysis results show that it can discover the hidden and malicious processes. In the end, a summary for the whole paper is expounded, including the design of memory forensics model and its application and implementation on Windows system. What inadequacy of the model are talked according to the result of the experiments, and what should be done in the future following by, Including extracting diversified critical data and improvement of the correlation analysis algorithm. |
PDF Full Text Request