用于数字取证的固件辅助记忆获取和分析工具

2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering Pub Date : 2011-05-05 DOI:10.1109/SADFE.2011.7

Jiang Wang, Fengwei Zhang, Kun Sun, A. Stavrou

{"title":"用于数字取证的固件辅助记忆获取和分析工具","authors":"Jiang Wang, Fengwei Zhang, Kun Sun, A. Stavrou","doi":"10.1109/SADFE.2011.7","DOIUrl":null,"url":null,"abstract":"Being able to inspect and analyze the operational state of commodity machines is crucial for modern digital forensics. Indeed, volatile system state including memory data and CPU registers contain information that cannot be directly inferred or reconstructed by acquiring the contents of the nonvolatile storage. Unfortunately, it still remains an open problem how to reliably and consistently retrieve the volatile machine state without disrupting its operation. In this paper, we propose to leverage commercial PCI network cards and the current x86 implementation of System Management Mode to reliably replicate the physical memory and critical CPU registers from commodity hardware. Furthermore, we demonstrate how remote state replication can be used for semantic reconstruction, where the analysis of memory structures enables us to interactively perform forensic analysis of the machine's memory content.","PeriodicalId":264200,"journal":{"name":"2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-05-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"33","resultStr":"{\"title\":\"Firmware-assisted Memory Acquisition and Analysis tools for Digital Forensics\",\"authors\":\"Jiang Wang, Fengwei Zhang, Kun Sun, A. Stavrou\",\"doi\":\"10.1109/SADFE.2011.7\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Being able to inspect and analyze the operational state of commodity machines is crucial for modern digital forensics. Indeed, volatile system state including memory data and CPU registers contain information that cannot be directly inferred or reconstructed by acquiring the contents of the nonvolatile storage. Unfortunately, it still remains an open problem how to reliably and consistently retrieve the volatile machine state without disrupting its operation. In this paper, we propose to leverage commercial PCI network cards and the current x86 implementation of System Management Mode to reliably replicate the physical memory and critical CPU registers from commodity hardware. Furthermore, we demonstrate how remote state replication can be used for semantic reconstruction, where the analysis of memory structures enables us to interactively perform forensic analysis of the machine's memory content.\",\"PeriodicalId\":264200,\"journal\":{\"name\":\"2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering\",\"volume\":\"17 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2011-05-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"33\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SADFE.2011.7\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SADFE.2011.7","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 33

摘要

能够检查和分析商品机器的运行状态对于现代数字取证至关重要。实际上，包括存储器数据和CPU寄存器的易失性系统状态包含不能通过获取非易失性存储器的内容直接推断或重构的信息。不幸的是，如何可靠和一致地检索易失性机器状态而不中断其操作仍然是一个悬而未决的问题。在本文中，我们建议利用商用PCI网卡和当前的x86系统管理模式实现来可靠地从商用硬件复制物理内存和关键CPU寄存器。此外，我们还演示了远程状态复制如何用于语义重建，其中对内存结构的分析使我们能够交互式地执行机器内存内容的取证分析。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Firmware-assisted Memory Acquisition and Analysis tools for Digital Forensics

Being able to inspect and analyze the operational state of commodity machines is crucial for modern digital forensics. Indeed, volatile system state including memory data and CPU registers contain information that cannot be directly inferred or reconstructed by acquiring the contents of the nonvolatile storage. Unfortunately, it still remains an open problem how to reliably and consistently retrieve the volatile machine state without disrupting its operation. In this paper, we propose to leverage commercial PCI network cards and the current x86 implementation of System Management Mode to reliably replicate the physical memory and critical CPU registers from commodity hardware. Furthermore, we demonstrate how remote state replication can be used for semantic reconstruction, where the analysis of memory structures enables us to interactively perform forensic analysis of the machine's memory content.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering

自引率

0.00%

发文量