发明名称 |
Physical memory forensics system and method |
摘要 |
The method of the present inventive concept is configured to utilize Operating System data structures related to memory-mapped binaries to reconstruct processes. These structures provide a system configured to facilitate the acquisition of data that traditional memory analysis tools fail to identify, including by providing a system configured to traverse a virtual address descriptor, determine a pointer to a control area, traverse a PPTE array, copy binary data identified in the PPTE array, generate markers to determine whether the binary data is compromised, and utilize the binary data to reconstruct a process. |
申请公布号 |
US9268936(B2) |
申请公布日期 |
2016.02.23 |
申请号 |
US201213560415 |
申请日期 |
2012.07.27 |
申请人 |
MANDIANT, LLC |
发明人 |
Butler James |
分类号 |
G06F12/10;G06F21/55;G06F21/64 |
主分类号 |
G06F12/10 |
代理机构 |
Polsinelli PC |
代理人 |
Polsinelli PC ;Rehm Adam C. |
主权项 |
1. A method to determine whether a computer system has been compromised, the method comprising the steps of:
traversing a virtual address descriptor to acquire process data; reconstructing mapped data based on the acquired process data; storing the mapped data via a memory of a system, and traversing a virtual address control block to recover a file from a memory cache if (i) a page table entry is invalid, and (ii) a valid data length related to the file is not determined to be greater than a size of the file, wherein,
the mapped data is obtained when a virtual address causes a page fault, andthe page fault triggers the system to execute a process to automatically acquire the mapped data. |
地址 |
Milpitas CA US |