Research On Memory Forensic Based On The Kernel Object Link Relation

Nowadays, more and more new type of computer and network technology crimecaused people’s attention. The traditional digital forensic technology always focusedon some nonvolatile storage medium such as hard disk, CD-ROM, U disk etc whileignored the volatile storage for example RAM, and it cannot successfully solved withthe challenges of the anti-forensics、 rootkit and DKOM(Direct Kernel ObjectManipulation) technology. Some evidence can only find in the RAM. The traditionalmethod based on fixed address or character string is no longer applicable as theMs-Windows7kernel object was not stored in a fixed address. This paper do someresearch about the Ms-Windows7memory forensics by using the characteristics of thekernel objects linked to others.Firstly, this paper proposed a memory forensics method based on the kernelobject link relation. The paper used the windows kernel debug tool Windbg to get thestructure of the kernel object, and then found the relation between of them. InMs-Windows7most of the runtime information was stored in some kernel object datastructures, after introduced the commonly kernel object data structure the link relationcould be acquired by kernel debugger toll Windbg. At the same time by using thekernel object characteristic string and mutual information, the accuracy of therecognition kernel object could be improved.Secondly, this paper proposed a system runtime information forensics method.After get the relations between the kernel object and the characteristic string of kernelobject structure, we can get the system runtime information such as the runningprocess, the process loading module and loaded register files. After do some researchabout the special process data section, the document opened by Notepad cansuccessful be recovered.Finally, we implemented an Ms-windows7live memory forensics system. Thesystem based on the linked relations between the kernel object. The system implementthe commonly task of memory forensic such as the integrity of process, the processload module and the address translation. The system could helped the forensicsuccessfully get the runtime information.This paper researched on Ms-Windows7memory image, proposed a memoryforensic method based on kernel object link relation. This method solved the problemof most memory forensic tools does not support the Ms-Windows7system. The experiment result shows that the method can successfully list the running process ofthe system and the loaded module. At last encapsulated the method and form amemory forensics system.