| 发明名称 | Physical memory forensics system and method | ||
| 摘要 | The method of the present inventive concept is configured to utilize Operating System data structures related to memory-mapped binaries to reconstruct processes. These structures provide a system configured to facilitate the acquisition of data that traditional memory analysis tools fail to identify, including by providing a system configured to traverse a virtual address descriptor, determine a pointer to a control area, traverse a PPTE array, copy binary data identified in the PPTE array, generate markers to determine whether the binary data is compromised, and utilize the binary data to reconstruct a process. | ||
| 申请公布号 | US9268936(B2) | 申请公布日期 | 2016.02.23 |
| 申请号 | US201213560415 | 申请日期 | 2012.07.27 |
| 申请人 | MANDIANT, LLC | 发明人 | Butler James |
| 分类号 | G06F12/10;G06F21/55;G06F21/64 | 主分类号 | G06F12/10 |
| 代理机构 | Polsinelli PC | 代理人 | Polsinelli PC ;Rehm Adam C. |
| 主权项 | 1. A method to determine whether a computer system has been compromised, the method comprising the steps of: traversing a virtual address descriptor to acquire process data; reconstructing mapped data based on the acquired process data; storing the mapped data via a memory of a system, and traversing a virtual address control block to recover a file from a memory cache if (i) a page table entry is invalid, and (ii) a valid data length related to the file is not determined to be greater than a size of the file, wherein, the mapped data is obtained when a virtual address causes a page fault, andthe page fault triggers the system to execute a process to automatically acquire the mapped data. | ||
| 地址 | Milpitas CA US | ||