浏览全部资源
扫码关注微信
信息工程大学密码工程学院,河南 郑州 450001
[ "李炳龙(1974− ),男,河南卫辉人,博士,信息工程大学副教授、硕士生导师,主要研究方向为数字调查与取证、网络入侵溯源追踪与取证、云计算取证、智能手机取证等" ]
[ "周振宇(1976− ),男,河南太康人,博士,信息工程大学副教授,主要研究方向为信息安全" ]
[ "张宇(1996− ),男,江苏连云港人,信息工程大学硕士生,主要研究方向为智能手机取证" ]
[ "张和禹(1998− ),男,河南南阳人,信息工程大学硕士生,主要研究方向为内存取证" ]
[ "常朝稳(1966− ),男,河南滑县人,博士,信息工程大学教授、博士生导师,主要研究方向为移动信息安全、物联网安全" ]
网络出版日期:2021-07,
纸质出版日期:2021-07-25
移动端阅览
李炳龙, 周振宇, 张宇, 等. 基于结构链逆向的内存碎片文件雕刻算法[J]. 通信学报, 2021,42(7):117-127.
Binglong LI, Zhenyu ZHOU, Yu ZHANG, et al. Memory fragment file carving algorithm based on the reverse of the structure chain[J]. Journal on communications, 2021, 42(7): 117-127.
李炳龙, 周振宇, 张宇, 等. 基于结构链逆向的内存碎片文件雕刻算法[J]. 通信学报, 2021,42(7):117-127. DOI: 10.11959/j.issn.1000-436x.2021143.
Binglong LI, Zhenyu ZHOU, Yu ZHANG, et al. Memory fragment file carving algorithm based on the reverse of the structure chain[J]. Journal on communications, 2021, 42(7): 117-127. DOI: 10.11959/j.issn.1000-436x.2021143.
为解决内存映像中碎片证据文件提取问题,针对doc、pdf等常见文件类型,提出了一种基于内存映像的碎片文件雕刻模型。基于该模型,设计了基于文件对象结构链逆向的碎片文件雕刻算法,能够获取遗留在内存中的文件数据。实验结果表明,该算法能够成功从内存映像中雕刻出文件相关的元数据信息,例如文件名、文件来源及操作行为等,雕刻精确度达到 100%;而且在典型应用情况下,文件内容数据雕刻精度达到 87.5%,远高于基于磁盘文件雕刻算法的精确度。
To address the extraction of document evidence for doc
and other common file types in the memory image
the model of fragment file carving based on memory image was proposed.Then
on the basis of the model
the fragment file carving algorithm based on the reverse of file object structure chain was designed and implemented
the algorithm was able to get file data left behind in the memory image file.The experimental results show that the proposed algorithm can successfully carve out of memory file’s metadata
and the accuracy is 100%
and in a typical application case
the accuracy of the algorithm for memory file can achieve 87.5%
far higher than disk-based file caving algorithm.
SERVIDA F , CASEY E . IoT forensic challenges and opportunities for digital traces [J ] . Digital Investigation , 2019 , 28 : 22 - 29 .
SUDHAKAR , KUMAR S . An emerging threat Fileless malware:a survey and research challenges [J ] . Cybersecurity , 2020 , 3 ( 1 ): 1 - 12 .
The Internet Crime Complaint Center . 2019 Internet crime report [R ] . 2019 .
McAfee Labs . 2019 threats report [R ] . 2019 .
CAVIGLIONE L , WENDZE S , MAZURCZKY W . The future of digital forensics:challenges and the road ahead [J ] . IEEE Security &Privacy , 2017 , 15 ( 6 ): 12 - 17 .
XIAO T , XU M , XU J . Acquisiting text documents opened by notepad from Windows7 RAM image [J ] . Journal of Computational Information Systems , 2014 , 10 ( 16 ): 7117 - 7124 .
PATEL A , MISTRY N . An analyzing of different techniques and tools to recover data from volatile memory [J ] . International Journal for Scientific Research & Development , 2013 , 1 ( 2 ): 227 - 233 .
NUR A , MOHAMAD K , HASHEEM Y . Corrupted MP4 carving using MP4-Karver [J ] . International Journal of Advanced Computer Science and Applications , 2016 , 7 ( 3 ): 88 - 93 .
CARRIER B D , GRAND J . A hardware-based memory acquisition procedure for digital investigations [J ] . Digital Investigation , 2004 , 1 ( 1 ): 50 - 60 .
MULLAN P , RIESS C , FREILING F . Forensic source identification using JPEG image headers:the case of smartphones [J ] . Digital Investigation , 2019 , 28 : 68 - 76 .
BAHJAT A A , JONES J . Deleted file fragment dating by analysis of allocated neighbors [J ] . Digital Investigation , 2019 , 28 : 60 - 67 .
KORNBLUM J D . Using every part of the buffalo in Windows memory analysis [J ] . Digital Investigation , 2007 , 4 ( 1 ): 24 - 29 .
DOLAN-GAVITT B . The VAD tree:a process-eye view of physical memory [J ] . Digital Investigation , 2007 , 4 : 62 - 64 .
VAN-BAAR R B , ALINK W , VAN-BALLEGOOIJ A R , . Forensic memory analysis:files mapped in memory [J ] . Digital Investigation , 2008 , 5 : 52 - 57 .
QUICK D , CHOO K K R . Impacts of increasing volume of digital forensic data:a survey and future research challenges [J ] . Digital Investigation , 2014 , 11 ( 4 ): 273 - 294 .
GAO Y H , CAO T J . Memory forensics for QQ from a live system [J ] . Journal of Computers , 2010 , 5 ( 4 ): 541 - 548 .
PETRONI N L , WALTERS A , FRASER T , et al . FATKit:a framework for the extraction and analysis of digital forensic data from volatile system memory [J ] . Digital Investigation , 2006 , 3 ( 4 ): 197 - 210 .
马庆杰 , 李炳龙 , 位丽娜 . 基于SQLite内容雕刻的恢复技术 [J ] . 计算机应用 , 2017 , 37 ( 2 ): 392 - 396 .
MA Q J , LI B L , WEI L N . File recovery based on SQlite content carving [J ] . Journal of Computer Applications , 2017 , 37 ( 2 ): 392 - 396 .
高元照 , 李炳龙 , 陈性元 . 基于MapReduce的HDFS数据窃取随机检测算法 [J ] . 通信学报 , 2018 , 39 ( 10 ): 11 - 21 .
GAO Y Z , LI B L , CHEN X Y . Stochastic algorithm for HDFS data theft detection based on MapReduce [J ] . Journal on Communications , 2018 , 39 ( 10 ): 11 - 21 .
VÖMEL S , FREILING F C . Correctness,atomicity,and integrity:defining criteria for forensically-sound memory acquisition [J ] . Digital Investigation , 2012 , 9 ( 2 ): 125 - 137 .
HEO H S , SO B M , YANG I H , et al . Automated recovery of damaged audio files using deep neural networks [J ] . Digital Investigation , 2019 , 30 : 117 - 126 .
高元照 , 李炳龙 , 吴熙曦 . 基于物理内存的注册表逆向重建取证分析算法 [J ] . 山东大学学报(理学版) , 2016 , 51 ( 9 ): 127 - 136 .
GAO Y Z , LI B L , WU X X . A forensic analysis algorithm of registry reverse reconstruction based on physical memory [J ] . Journal of Shan-dong University (Natural Science) , 2016 , 51 ( 9 ): 127 - 136 .
KHILOSIYA B , MAKADIYA K . Malware analysis and using memory forensic [J ] . Multidisciplinary International Research Journal of Gujarat Technological University , 2020 , 2 ( 2 ): 106 - 117 .
SCHUSTER A . Searching for processes and threads in Microsoft Windows memory dumps [J ] . Digital Investigation , 2006 , 3 : 10 - 16 .
SALAVE P , WAKDIKAR A . Memory forensics:tools comparison [J ] . International Journal of Science and Research , 2017 , 6 ( 6 ): 5 - 8 .
COHEN M . Scanning memory with Yara [J ] . Digital Investigation , 2017 , 20 : 34 - 43 .
OKOLICA J , PETERSON G L . Windows operating systems agnostic memory analysis [J ] . Digital Investigation , 2010 , 7 : 48 - 56 .
GS StatCounter . Desktop Windows version market share worldwide [R ] . 2020 .
MARZIALE L , RICHARD G G III , ROUSSEV V III . Massive threading:using GPUs to increase the performance of digital forensics tools [J ] . Digital Investigation , 2007 , 4 : 73 - 81 .
AL-SHARIF Z A , AL-KHALEE A Y , AL-SALEH M I , et al . Carving and clustering files in ram for memory forensics [J ] . Far East Journal of Electronics and Communications , 2018 , 18 ( 5 ): 695 - 722 .
The Honeynet Project . Challenge 3-banking troubles [R ] . 2010 .
0
浏览量
497
下载量
0
CSCD
关联资源
相关文章
相关作者
相关机构