Windows Memory Analysis Based on KPCR

被引：13

作者：

Zhang, Ruichao ^{[1
]}

Wang, Lianhai ^{[1
]}

Zhang, Shuhui ^{[1
]}

机构：

[1] Shandong Comp Sci Ctr, Jinan 250014, Peoples R China

来源：

FIFTH INTERNATIONAL CONFERENCE ON INFORMATION ASSURANCE AND SECURITY, VOL 2, PROCEEDINGS | 2009年

关键词：

computer forensics; memory analysis; KPCR; address translation;

D O I：

10.1109/IAS.2009.103

中图分类号：

TP301 [理论、方法];

学科分类号：

081202 ;

摘要：

This paper briefly introduces the challenges facing collection of volatile data in a target computer. Resons to favor physical memory analysis are also given. After describing the related work of the memory analysis, details of a windows memory analysing method are given through which it is possible to extract useful information, such as running processes I current network connections, file contents, etc., from a memory image. The method is based on a data structure in windows known as Kernel Processor Control Region, or KPCR. Besides, details of address translation from virtual address to physical address are thoroughly discussed and an algorithm of address translation for practice is given. This method is verified on Windows XP SP2, Windows 2003 Server SP2 and Windows Vista Home Basic.

引用

页码：677 / 680

页数：4

共 17 条

[1]

[Anonymous], 2003, International Journal of Digital Evidence

[2]

Bilby D., 2006, P RUXC

[3]

Brezinski D., 2002, 3227 RFC

[4]

Burdach M., 2005, DIGITAL FORENSICS PH

[5]

Burdach Mariusz., 2005, An Introduction to Windows Memory Forensic

[6]

Carrier B., 2004, DIGIT INVEST, V1, P50, DOI [DOI 10.1016/J.DIIN.2003.12.001, 10.1016/j.diin.2003.12.001]

[7]

CARVEY H, 2007, WINDOWS FORENSIC ANA, P87

[8]

Chris Betz, 2005, MEMPARSER

[9] Forensic analysis of the Windows registry in memory [J].

Dolan-Gavitt, Brendan .

DIGITAL INVESTIGATION, 2008, 5 (SUPPL.) :S26-S32

[10]

GARNER MRJ, 2005, KNTLIST

← 1 2 →