|
|
论文:2021,Vol:39,Issue(5):1139-1149 |
|
|
引用本文: |
|
|
翟继强, 陈攀, 徐晓, 杨海陆. 面向Windows 10系统段堆的内存取证研究[J]. 西北工业大学学报 |
|
|
ZHAI Jiqiang, CHEN Pan, XU Xiao, YANG Hailu. The memory forensic research oriented to segment heap in Windows 10 system[J]. Northwestern polytechnical university |
|
|
|
|
|
|
|
| 面向Windows 10系统段堆的内存取证研究 |
|
| 翟继强, 陈攀, 徐晓, 杨海陆 |
|
| 哈尔滨理工大学 计算机科学与技术学院, 黑龙江 哈尔滨 150080 |
| 摘要: |
| 目前有关堆的取证研究主要是针对Linux系统的堆和Windows系统的NT堆,然而怎样从转储文件中提取出Windows 10系统段堆信息并没有得到充分研究。为了重现Windows 10系统中段堆的内部信息,提出根据内存对象vtype描述信息中字段偏移定位并解析段堆内部信息的方法。使用池扫描技术定位进程对象,根据进程对象和进程环境块对象的结构信息获取进程堆的起始位置并扫描进程堆,再使用段堆特征值定位段堆的位置,进而提取出段堆的内部信息。依据分析结果,研发了基于Volatility框架的5个段堆取证插件。实验结果表明文中方法可以有效地提取进程中每个段堆及其内部组件在内存中的地址、占用的内存大小等信息,这些信息可以帮助调查人员分析网络犯罪或网络攻击在内存中留下的数字痕迹。 |
| 关键词:
NT堆
段堆
池扫描技术
Volatility框架
|
|
| The memory forensic research oriented to segment heap in Windows 10 system |
|
| ZHAI Jiqiang, CHEN Pan, XU Xiao, YANG Hailu |
|
| School of Computer Science and Technology, Harbin University of Science and Technology, Harbin 150080, China |
| Abstract: |
| The current forensic research on heaps mainly extracts information from the heap of Linux and the NT heap of Windows. However, the study of how to extract the information on the segment heap in the Windows 10 from dump files is not sufficient. To reproduce the internal information on the segment heap, this paper proposes a method for locating and extracting the internal information on the segment heap in the Windows 10 according to the field offset in the vtype description information of memory object. The method uses the pool scanning technology to locate the process object, obtains the starting position of the process heap and scans the process heap according to the structural information on the process object and the process environment block object. Then it locates the position of the segment heap with its feature values, thereby extracting its internal information. Based on the analysis results, five forensic plugins for extracting the information on the segment heap were developed on the Volatility framework. The experimental results show that this method can effectively extract the information on the address of each segment heap and its internal components in the memory and on the size of committed memory, etc. The information can help investigators to analyze the digital traces left in the memory by cyber criminals or cyber attackers. |
| Key words:
NT heap
pool scanning technology
segment heap
volatility framework
|
|
| 收稿日期: 2020-03-04
修回日期:
|
| DOI: 10.1051/jnwpu/20213951139 |
| 基金项目: 国家自然科学基金(61403109)、黑龙江省自然科学基金(F2016024)与黑龙江省教育厅科技面上项目(12531121)资助 |
| 通讯作者:
Email: |
| 作者简介: 翟继强(1972-),哈尔滨理工大学教授、博士,主要从事网络与信息安全研究。
|
|
| 相关功能 |
|
|
|
|
| 作者相关文章 |
|
| 翟继强 在本刊中的所有文章 |
| 陈攀 在本刊中的所有文章 |
| 徐晓 在本刊中的所有文章 |
| 杨海陆 在本刊中的所有文章 |
|
|
|
|
|
|
|
|
参考文献: |
|
|
[1] MOSLI R, LI R, YUAN B, et al. Automated malware detection using artifacts in forensic memory images[C]//2016 IEEE Symposium on Technologies for Homeland Security, 2016:1-4
[2] 张瑜, 刘庆中, 李涛, 等. 内存取证研究与进展[J]. 软件学报,2015,26(5):1151-1172 ZHANG Yu, LIU Qingzhong, LI Dao, et al. Memory forensics research and progress[J]. Journal of Software, 2015, 26(5):1151-1172(in Chinese)
[3] BLOCK F, DEWALD A. Linux memory forensics:dissecting the user space process heap[J]. Digital Investigation, 2017, 8:66-75
[4] ZHANG J F, CHENGYUAN E, HU A Q. A method of android application forensics based on heap memory analysis[C]//Proceedings of 2nd International Conference on Computer Science and Application Engineering, 2018:1-5
[5] COHEN M. Forensic analysis of windows user space applications through heap allocations[C]//3rd IEEE International Workshop on Security and Forensics in Communication Systems, 2015:1138-1145
[6] LIGH H M, CASE A, LEVY J, et al. The art of memory forensics:detecting malware and threats in windows, linux, and mac memory[M]. USA:John Wily & Sons, Inc, 2014
[7] MARK V Y. Windows 10 segment heap internals[EB/OL]. (2016-05-18)[2020-03-04]. https://www.blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals-wp.pdf
[8] SCHUSTER A. Searching for processes and threads in microsoft windows memory dumps[J]. Digital Investigation, 2006, 3:10-16
[9] 翟继强, 肖亚军, 杨海陆, 等. 基于内存池标记快速扫描技术的Windows内核驱动对象扫描[J]. 西北工业大学学报, 2019, 37(5):1044-1052 ZHAI Jiqiang, XIAO Yajun, YANG Hailu, et al. Windows kernel driven object scanning based on memory pool marking fast scanning technology[J]. Journal of Northwest Polytechnic University, 2019,37(5):1044-1052(in Chinese)
[10] SCHUSTER A. The impact of microsoft windows pool allocation strategies on memory forensics[J]. Digital Investigation, 2008, 5:58-64
[11] FREILING F, TOBIAS G, LATZO T, et al. Advances in forensic data acquisition[J]. IEEE Design & Test, 2018, 35(5):63-74
[12] LUUC V D H, CHOO K K R, LE-KHAC N A. Process memory investigation of the bitcoin clients electrum and bitcoin core[J]. IEEE Access, 2017, 5:22385-22398
[13] SINGH A, SHARMA P, NATH R. Role of hibernation file in memory forensics of windows 10[J]. International Journal of Scientific & Engineering Research, 2016, 7(12):42-47
[14] LEWIS Nathan, CASE Andrew, ALI-GOMBE Aisha, et al. Memory forensics and the windows subsystem for linux[J]. Digital Investigation, 2018, 26(suppl 1):3-11
[15] 李占魁. 基于内存转储分析的代码注入攻击检测方法[D]. 西安:西安电子科技大学, 2019 LI Zhankui. Code injection attack detection method based on memory dump analysis[D]. Xi'an:Xi'an University of Electronic Science and Technology, 2019(in Chinese)
[16] SOCAIA A, Cohen M. Automatic profile generation for live linux memory analysis[J]. Digital Investigation, 2016, 16:11-24 |
|
|
|
|
|
|
|
