Research on the Method of RAM Investigation Based on Volatility

Chinese Journal of Forensic Sciences ›› 2012 ›› Issue (4): 90-93.

Previous Articles Next Articles

Research on the Method of RAM Investigation Based on Volatility

LUO Wen-hua，TANG Yan-jun

China Criminal Police University，Shenyang 110854，China

Received:2011-07-21 Published:2012-07-15 Online:2022-07-18

基于Volatility的内)信息调查方法研究

罗文华，汤艳君

中国刑事警察学院计算机犯罪侦查系，辽宁沈阳110854

作者简介:罗文华（1977-），男，副教授，硕士研究生，主要从事计算机犯罪侦查、电子物证研究。

Abstract

Abstract:

With the development of anti-forensics technology，it is more difficult to seek for valuable evidence or clues for investigators. Therefor，the research on RAM investigation has become a focus in the field of computer forensics. Based on open source software Volatility，which is used to investigate into RAM， this paper introduces The investigation mothod for RAM from the aspects of process and DLL， RAM and VAD， driver and kernel object， net connection， and registry. This paper also introduces the specific applications of the method introduced with actual examples.

Key words: RAM, Volatility, hivescan, hashdump, psscan, pslist

摘要：

随着反取证技术的发展，调查人员越来越难于在磁盘介质中寻找到有价值的证据或线索。针对内存信息的调查分析研究由此成为计算机法庭科学领域日益关注的焦点$通过以内存调查取证开源软件Volatility为背景，从进程及 DLL、內存及VAD、驱动程序及内核对象、网络连接与注册表等多个角度描—内存信息的调查方法，并结合实例说明所— 方法在实际工作中的具体应用。

关键词: 内存, Volatility, hivescan, hashdump, psscan, pslist

CLC Number:

TP393

LUO Wen-hua, TANG Yan-jun. Research on the Method of RAM Investigation Based on Volatility [J]. Chinese Journal of Forensic Sciences, 2012(4): 90-93.

罗文华, 汤艳君. 基于Volatility的内)信息调查方法研究 [J]. 中国司法鉴定, 2012(4): 90-93.

[1]	LEI Fei, WANG Yachen, SUN Qiran, LUO Yiwen, YANG Xu. Rapid Identification of Black Ballpoint Pens by Surface-Enhanced Raman Spectroscopy [J]. Chinese Journal of Forensic Sciences, 2023, 0(6): 62-68.
[2]	FANG Mengyue, LIU Heping, CHEN Zhixiang, WANG Juan, ZHANG Haiqing, LI Xianguo, ZHANG Dahai. The Correlation Study between the Sewage Parameters and the Accuracy of Psychoactive Substances Detection [J]. Chinese Journal of Forensic Sciences, 2022, 124(5): 57-66.
[3]	ZHANG Zefeng. Analysis and Application of Video Time Watermark for Vehicle Speed Identification [J]. Chinese Journal of Forensic Sciences, 2020, 112(5): 43-49.
[4]	DING Min-ju, WANG Ying, ZHANG Cheng-gong, ZHANG Yong-feng, ZENG yi, GU Jing-long. Study on the Primary and Secondary Copper Molten Marks by Laser Raman Micro-spectroscopy [J]. Chinese Journal of Forensic Sciences, 2013, 69(4): 23-27.
[5]	ZHOU Hua, ZHANG Shi-Bo, LI Ping-Fei, HUANG Hai-Bo. Safety Analysis of Truck Escape Ramp of G5 Freeway [J]. , 2013, 68(3): 0-0.
[6]	. [J]. , 2013, 67(2): 76-79.
[7]	. To Understand the Speaker Automatic Recognition System Dialecticly [J]. , 2013, 67(2): 71-75.
[8]	Luo Yi-wen, Sun Qi-ran, Xu Che, XI Jian-hua. Discrimination of Direct Dyes and Dyed Fibers by Raman Spectroscopy [J]. Chinese Journal of Forensic Sciences, 2012, 65(6): 28-32.
[9]	WU Guo-qiang, ZHENG Ke. The Cause of Frame Beam Slab Crack and Its Structure Quality Appraisal [J]. Chinese Journal of Forensic Sciences, 2012, 62(3): 87-89.
[10]	XU Ke, LIANG Lu-ning, LIAN Yuan-yuan. Classification toners of Laser Printers with Micro Raman Spectroscopy [J]. Chinese Journal of Forensic Sciences, 2011, 55(2): 27-30.
[11]	YANG Jun-jie, LI Hong-ming, YUE Wei, HU Yao-min, YANG Yun-sheng, LI Jing-wei, LI Xiao-yong. Research on Forensic Voice Identification under Different Communication Systems [J]. Chinese Journal of Forensic Sciences, 2010, 52(5): 45-48.
[12]	ZOU Tie-fang;YU Zhi;CAI Ming;LIU Ji-ke (School of Engineering;Sun Yat-sen University;Guangzhou 0;China). Orthogonal Experiment Design Pc-Crash to Reconstruct Traffic Accident [J]. , 2010, 0(03): 45-48+5.
[13]	LIU Xiao-xia;QIAO Jun-yuan;YUN Ke-ming;ZHANG Da-ming;WEI Zhi-wen;AN jian-kang;WANG Yu-jin (. Forensic Medicine School of Shanxi Medical University;Taiyuan 0000;China;. Xinghualing Branch of Taiyuan Public Security Bureau;Taiyuan 0000;China. Study on Self-generation Alcohol in Preserved Dog Corpses [J]. , 2010, 0(01): 26-29.
[14]	ZOU Dong-hua;CHEN Yi-jiu;LIU Ning-guo(Institute of Forensic Science;Ministry of Justice;Shanghai Key Laboratory of Forensic Medicine;Shanghai 000;China). Characteristics of Trace Evidence in 200 Traffic Accidents Involving Collision between vehicles and humans [J]. , 2008, 0(06): 77-82.
[15]	SHI Shao-pei;YANG Xu;CHEN xiao-hong;BIAN Xin-wei;XI Jian-hua;XU Che;SUN Wei-long;QIAN Huang-gui (Institute of Forensic Science;Ministry of Justice;Shanghai 000;China). Experimental Studies on Mobile Phone Voice [J]. , 2008, 0(05): 39-44.

Research on the Method of RAM Investigation Based on Volatility

基于Volatility的内)信息调查方法研究

PDF

Knowledge

Cited

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics