Research on the Method of RAM Investigation Based on Volatility

Chinese Journal of Forensic Sciences ›› 2012 ›› Issue (4): 90-93.

Previous Articles Next Articles

Research on the Method of RAM Investigation Based on Volatility

LUO Wen-hua，TANG Yan-jun

China Criminal Police University，Shenyang 110854，China

Received:2011-07-21 Published:2012-07-15 Online:2022-07-18

基于Volatility的内)信息调查方法研究

罗文华，汤艳君

中国刑事警察学院计算机犯罪侦查系，辽宁沈阳110854

作者简介:罗文华（1977-），男，副教授，硕士研究生，主要从事计算机犯罪侦查、电子物证研究。

Abstract

Abstract:

With the development of anti-forensics technology，it is more difficult to seek for valuable evidence or clues for investigators. Therefor，the research on RAM investigation has become a focus in the field of computer forensics. Based on open source software Volatility，which is used to investigate into RAM， this paper introduces The investigation mothod for RAM from the aspects of process and DLL， RAM and VAD， driver and kernel object， net connection， and registry. This paper also introduces the specific applications of the method introduced with actual examples.

Key words: RAM, Volatility, hivescan, hashdump, psscan, pslist

摘要：

随着反取证技术的发展，调查人员越来越难于在磁盘介质中寻找到有价值的证据或线索。针对内存信息的调查分析研究由此成为计算机法庭科学领域日益关注的焦点$通过以内存调查取证开源软件Volatility为背景，从进程及 DLL、內存及VAD、驱动程序及内核对象、网络连接与注册表等多个角度描—内存信息的调查方法，并结合实例说明所— 方法在实际工作中的具体应用。

关键词: 内存, Volatility, hivescan, hashdump, psscan, pslist

CLC Number: