| The dynamic forensics is one of the most important parts of the computer forensics,and memory analysis is the core part of dynamic forensics.But the memory structure is protected by every operating system manufacturer,and it makes memory forensics to be accomplished difficultly.The Microsoft has taken a lot of security measures on the 64-bits Windows 7 SP1,which is the most popular operating system around the world,so it is even harder to get and analyze the memory data.None of the former scholars can propose a comprehensive memory forensics method under this type of operating system.This paper aims at researching the memory forensics on the 64-bits Windows 7 SP1.With an improvement on precedent algorithms,a kernel variables locating algorithm based on virtual address characteristic is proposed for accurately locating kernel variables.Based on this algorithm,this paper describe the method to analyze data and collect evidence from the opened processes,loaded modules,opened files,visited websites,send email,and send message.According to these data,we can analyze the action of the user or detect intrusion.And,a fast memory data export algorithm based on MmPhysicalMemoryBlock is proposed,which can export all the useful data very fast without affect the normal use of the computer.To achieve the purpose of more efficient work,this paper uses a visual interface to build this forensics system. |
PDF Full Text Request