Windows系统挥发性数据应急响应的内存取证研究
首发时间:2008-09-16
摘要:本文阐述了Windows 2000系统服务器应急响应的内存取证过程,给出了获取和分析物理内存转储文件的详细步骤。首先使用mdd.exe应急响应转储出物理内存内容,然后使用PTfinderPE得到了进程基本信息列表,根据列表中进程的偏移量使用lspd.pl得到了该进程的详细信息,进而使用lspm.pl输出该进程仍然驻留在内存中的页到perl脚本目录下以该进程名和.dmp为后缀命名的文件中,之后使用BinText图形界面工具查看此文件内容,搜寻敏感信息。除了上述一些列步骤得到进程敏感信息以外,本文还使用了lspi.pl工具恢复出可执行映像文件。
关键词: 应急响应 挥发性数据 内存取证 转储文件分析 取证工具
For information in English, please click here
Emergency Response to Windows System Volatile Data Memory Forensics
Abstract:This paper describes the Windows 2000 server system emergency response memory forensics process and the detailed steps to access and analysis the physical memory dump file as well. First, use mdd.exe to dump the physical memory contents as the emergency response, and then use PTfinderPE to get the process list. According to the list we can find the process offset, and then use lspd.pl with the offset parameter to get the details information of the process, next use lspm.pl to display the process page remains in memory to the directory where Perl script is installed and the filename is the process name with the suffix dmp. BinText is a graphical interface tool used to check the contents of this document, form that we can search for sensitive information. In addition to the above steps to get the sensitive information, the paper also used the lspi.pl tools to restore the executable image files.
Keywords: emergency response volatile data physical memory forensics dump file analyze forensic tools
论文图表:
引用
No.2407030436612215****
同行评议
共计0人参与
勘误表
Windows系统挥发性数据应急响应的内存取证研究
评论
全部评论0/1000