Design And Implementation Of Memory Forensics System Based On Binary Code Reuse

With the popularization of computers,the scale and number of cybercrimes and the use of computers have rapidly increased.However,computer forensics has been slow to develop due to lagging legislation and lack of professional knowledge.Early computer forensics focused on the forensics of the hard disk.After obtaining the hard disk by power failure,various hard disk recovery met hods were used to attempt to recover the encrypted or erased data in the hard disk.However,power-off operations often directly result in the loss of memory data,and the memory state holds the most realistic information of the comput er.However,the current internal access method is often a signature-based me mory image scan.By analyzing different instances of the same type of data,a n attempt is made to find out the same attributes in order to scan and extract instances of the data structures of interest to the investigators in memory.How ever,an unavoidable problem is that even with a good understanding of the sy ntax and semantics of data structures,relevant analysts may not be able to inte rpret the specific information contained in the data structure,especially for dat a structures with specific application coding(e.g.,images,tables,account pass words and the data structure of the format file)This situation is very common,even if the investigator may know that the buffer is saving the photo image,but still cannot render and understand the image content.The design philosophy of the system in this article is based on the observ ation that an application that defines a data structure usually contains its own i nterpretation and rendering logic in order to generate an easy-to-understand out put for the data structure.Therefore,by identifying and reusing this logic in p rogram binaries,a scanning and rendering tool is created that can be used to r estore an instance of the data structure in a memory image.Unlike signature-b ased methods,it avoids reverse engineering of data structure signatures.In the experiment,through the evaluation of various application binary files,it is sho wn that the system can restore various application data with high accuracy,suc h as pictures,graphics,screen shots,user account passwords,and formatted fil e and communication software information.With this approach,the original con tent of the data will be more persuasive.The main contributions of this thesis are as follows:First,this thesis proposes an algorithm for identifying and locating exit po int instructions for dynamic slices,which can be used to render arbitrary mem ory addresses by replacing pointers.Secondly,this thesis designs and implements an internal memory access sy stem based on reuse of binary programs,which enables memory scanning and r estoration to work without source code.Compared with previous research,it ca n generate the original form of information and help to avoid reading.Investig ators who specialize in specific data structures understand the information conta ined in the data structure.Finally,this thesis analyzes the performance of binary reuse modules and scanners by using various types of programs through experiments,and analyzes and discusses the reasons for the formation of certain unsatisfactory programs.