Physical memory forensics system and method

Invention Grant

US09268936B2 Physical memory forensics system and method 有权

Title translation: 物理内存取证系统及方法

Please log in to see more content

Patent Title: Physical memory forensics system and method
Patent Title (中): 物理内存取证系统及方法
Application No.: US13560415

Application Date: 2012-07-27
Publication No.: US09268936B2

Publication Date: 2016-02-23
Inventor: James Butler
Applicant: James Butler
Applicant Address: US CA Milpitas
Assignee: MANDIANT, LLC
Current Assignee: MANDIANT, LLC
Current Assignee Address: US CA Milpitas
Agency: Polsinelli PC
Agent Adam C. Rehm
Main IPC: G06F12/10
IPC: G06F12/10 ; G06F21/55 ; G06F21/64

Physical memory forensics system and method

Abstract:

The method of the present inventive concept is configured to utilize Operating System data structures related to memory-mapped binaries to reconstruct processes. These structures provide a system configured to facilitate the acquisition of data that traditional memory analysis tools fail to identify, including by providing a system configured to traverse a virtual address descriptor, determine a pointer to a control area, traverse a PPTE array, copy binary data identified in the PPTE array, generate markers to determine whether the binary data is compromised, and utilize the binary data to reconstruct a process.

Abstract(Chinese):

本发明构思的方法被配置为利用与存储器映射二进制文件相关的操作系统数据结构来重构进程。这些结构提供了一种系统，其被配置为便于采集传统存储器分析工具无法识别的数据，包括通过提供被配置为遍历虚拟地址描述符的系统，确定到控制区域的指针，遍历PPTE阵列，复制二进制数据在PPTE数组中识别，生成标记以确定二进制数据是否受到损害，并利用二进制数据来重构进程。

Public/Granted literature

US20140032875A1 Physical Memory Forensics System and Method Public/Granted day:2014-01-30

Information query

Espacenet

IPC分类:

G	物理
G06	计算；推算或计数
G06F	电数字数据处理（基于特定计算模型的计算机系统入G06N）
G06F12/00	安装在筛选装置之上的在存储器系统或体系结构内的存取、寻址或分配（来自记录载体的数字输入，或者到记录载体上去的数字输出，例如到磁盘存储单元，G06F3/06）
G06F12/02	.寻址或地址分配；地址的重新分配（程序地址排序入G06F9/00；在数字存储器中选择地址的设计入G11C8/00）
G06F12/08	..在分级结构的存储系统中的寻址、地址分配、或地址的重新分配，例如，虚拟存储系统
G06F12/10	...地址转换