Memory Forensics Research Based On Windows8Physical Memory Image File

With the rapid development of computer hardware/software technologies and thepopularity of information technology in all aspects of life, high-tech crimes usingcomputer and other related electronic devices are increasingly complicated anddiversified. It has turned out to be a major threat for our daily life and work. In order tostrike these high-tech crimes effectively, forensics investigation analysis has become anew hotspot to investigate how to obtain electronic evidences. One effective way tosolve this problem is computer forensics.Computer forensics includes offline forensics and online forensics. Based on theanalysis of physical memory image file, memory forensics technology is a hot researchtopic in recent years. It is currently in rapid development stage, and a set of systemictheory and method has not come into being. Due to Windows update, the kernel datastructures in the system have been changed. The current computer forensics tools arenot capable of extracting handle information of Windows8such as processes, threads,and object correctly.As a correspondence, this dissertation mainly studies the principle and method ofmemory forensics based on the latest Microsoft operating system Windows8. Thecontributions of this dissertation are as follows:â‘ By understanding the principle and method of memory forensics based on thelatest Microsoft operating system Windows8in depth, and using analysis methods suchas reverse engineering, this dissertation investigates the structure of system addressspace, memory pool allocation of system memory, paging memory management,segment memory management, address translation principle, and some othermechanisms involving system kernel layer on Windows8.â‘¡By analyzing the structure characteristics of kernel objects, the internal workingmechanism of process and thread objects, and handle information, we extract theirfeature signature information. An algorithm of extracting information of currentprocesses and threads from physical memory dump file, which based on the featuresignature information, is proposed. Furthermore, by reconstructing the list of activekernel processes, this algorithm can successfully extract non-hidden and hidden systemprocesses, as well as the thread information of each process and the loading informationof DLL module.â‘¢By studying the structure of object handle and its associated objects, we give a method of extracting object handle information. Theoretical analysis and experimentalresults show that this method has better accuracy and generality.