通信学报 ›› 2021, Vol. 42 ›› Issue (7): 117-127.doi: 10.11959/j.issn.1000-436x.2021143
李炳龙, 周振宇, 张宇, 张和禹, 常朝稳
修回日期:
2021-03-01
出版日期:
2021-07-25
发布日期:
2021-07-01
作者简介:
李炳龙(1974− ),男,河南卫辉人,博士,信息工程大学副教授、硕士生导师,主要研究方向为数字调查与取证、网络入侵溯源追踪与取证、云计算取证、智能手机取证等基金资助:
Binglong LI, Zhenyu ZHOU, Yu ZHANG, Heyu ZHANG, Chaowen CHANG
Revised:
2021-03-01
Online:
2021-07-25
Published:
2021-07-01
Supported by:
摘要:
为解决内存映像中碎片证据文件提取问题,针对doc、pdf等常见文件类型,提出了一种基于内存映像的碎片文件雕刻模型。基于该模型,设计了基于文件对象结构链逆向的碎片文件雕刻算法,能够获取遗留在内存中的文件数据。实验结果表明,该算法能够成功从内存映像中雕刻出文件相关的元数据信息,例如文件名、文件来源及操作行为等,雕刻精确度达到 100%;而且在典型应用情况下,文件内容数据雕刻精度达到 87.5%,远高于基于磁盘文件雕刻算法的精确度。
中图分类号:
李炳龙, 周振宇, 张宇, 张和禹, 常朝稳. 基于结构链逆向的内存碎片文件雕刻算法[J]. 通信学报, 2021, 42(7): 117-127.
Binglong LI, Zhenyu ZHOU, Yu ZHANG, Heyu ZHANG, Chaowen CHANG. Memory fragment file carving algorithm based on the reverse of the structure chain[J]. Journal on Communications, 2021, 42(7): 117-127.
表1
不同类型文件尺寸"
文件 | doc/B | pdf/B | txt/B | jpg/B |
f0 | 24 064 | 51 618 | 32 | 14 717 |
f1 | 26 112 | 66 067 | 698 | 60 019 |
f2 | 26 624 | 86 311 | 747 | 97 788 |
f3 | 27 136 | 138 276 | 778 | 122 854 |
f4 | 28 160 | 145 813 | 997 | 141 963 |
f5 | 39 424 | 159 331 | 3 917 | 226 174 |
f6 | 81 920 | 212 392 | 15 127 | 360 907 |
f7 | 118 784 | 272 669 | 24 154 | 421 069 |
f8 | 189 952 | 397 519 | 24 564 | 2 599 419 |
f9 | 233 984 | 2 173 636 | 318 997 | 6 523 649 |
[1] | SERVIDA F , CASEY E . IoT forensic challenges and opportunities for digital traces[J]. Digital Investigation, 2019,28: 22-29. |
[2] | SUDHAKAR , KUMAR S . An emerging threat Fileless malware:a survey and research challenges[J]. Cybersecurity, 2020,3(1): 1-12. |
[3] | The Internet Crime Complaint Center. 2019 Internet crime report[R]. 2019. |
[4] | McAfee Labs. 2019 threats report[R]. 2019. |
[5] | CAVIGLIONE L , WENDZE S , MAZURCZKY W . The future of digital forensics:challenges and the road ahead[J]. IEEE Security &Privacy, 2017,15(6): 12-17. |
[6] | XIAO T , XU M , XU J . Acquisiting text documents opened by notepad from Windows7 RAM image[J]. Journal of Computational Information Systems, 2014,10(16): 7117-7124. |
[7] | PATEL A , MISTRY N . An analyzing of different techniques and tools to recover data from volatile memory[J]. International Journal for Scientific Research & Development, 2013,1(2): 227-233. |
[8] | NUR A , MOHAMAD K , HASHEEM Y . Corrupted MP4 carving using MP4-Karver[J]. International Journal of Advanced Computer Science and Applications, 2016,7(3): 88-93. |
[9] | CARRIER B D , GRAND J . A hardware-based memory acquisition procedure for digital investigations[J]. Digital Investigation, 2004,1(1): 50-60. |
[10] | MULLAN P , RIESS C , FREILING F . Forensic source identification using JPEG image headers:the case of smartphones[J]. Digital Investigation, 2019,28: 68-76. |
[11] | BAHJAT A A , JONES J . Deleted file fragment dating by analysis of allocated neighbors[J]. Digital Investigation, 2019,28: 60-67. |
[12] | KORNBLUM J D . Using every part of the buffalo in Windows memory analysis[J]. Digital Investigation, 2007,4(1): 24-29. |
[13] | DOLAN-GAVITT B . The VAD tree:a process-eye view of physical memory[J]. Digital Investigation, 2007,4: 62-64. |
[14] | VAN-BAAR R B , ALINK W , VAN-BALLEGOOIJ A R , . Forensic memory analysis:files mapped in memory[J]. Digital Investigation, 2008,5: 52-57. |
[15] | QUICK D , CHOO K K R . Impacts of increasing volume of digital forensic data:a survey and future research challenges[J]. Digital Investigation, 2014,11(4): 273-294. |
[16] | GAO Y H , CAO T J . Memory forensics for QQ from a live system[J]. Journal of Computers, 2010,5(4): 541-548. |
[17] | PETRONI N L , WALTERS A , FRASER T ,et al. FATKit:a framework for the extraction and analysis of digital forensic data from volatile system memory[J]. Digital Investigation, 2006,3(4): 197-210. |
[18] | 马庆杰, 李炳龙, 位丽娜 . 基于SQLite内容雕刻的恢复技术[J]. 计算机应用, 2017,37(2): 392-396. |
MA Q J , LI B L , WEI L N . File recovery based on SQlite content carving[J]. Journal of Computer Applications, 2017,37(2): 392-396. | |
[19] | 高元照, 李炳龙, 陈性元 . 基于MapReduce的HDFS数据窃取随机检测算法[J]. 通信学报, 2018,39(10): 11-21. |
GAO Y Z , LI B L , CHEN X Y . Stochastic algorithm for HDFS data theft detection based on MapReduce[J]. Journal on Communications, 2018,39(10): 11-21. | |
[20] | V?MEL S , FREILING F C . Correctness,atomicity,and integrity:defining criteria for forensically-sound memory acquisition[J]. Digital Investigation, 2012,9(2): 125-137. |
[21] | HEO H S , SO B M , YANG I H ,et al. Automated recovery of damaged audio files using deep neural networks[J]. Digital Investigation, 2019,30: 117-126. |
[22] | 高元照, 李炳龙, 吴熙曦 . 基于物理内存的注册表逆向重建取证分析算法[J]. 山东大学学报(理学版), 2016,51(9): 127-136. |
GAO Y Z , LI B L , WU X X . A forensic analysis algorithm of registry reverse reconstruction based on physical memory[J]. Journal of Shan-dong University (Natural Science), 2016,51(9): 127-136. | |
[23] | KHILOSIYA B , MAKADIYA K . Malware analysis and using memory forensic[J]. Multidisciplinary International Research Journal of Gujarat Technological University, 2020,2(2): 106-117. |
[24] | SCHUSTER A . Searching for processes and threads in Microsoft Windows memory dumps[J]. Digital Investigation, 2006,3: 10-16. |
[25] | SALAVE P , WAKDIKAR A . Memory forensics:tools comparison[J]. International Journal of Science and Research, 2017,6(6): 5-8. |
[26] | COHEN M . Scanning memory with Yara[J]. Digital Investigation, 2017,20: 34-43. |
[27] | OKOLICA J , PETERSON G L . Windows operating systems agnostic memory analysis[J]. Digital Investigation, 2010,7: 48-56. |
[28] | GS StatCounter . Desktop Windows version market share worldwide[R]. 2020. |
[29] | MARZIALE L , RICHARD G G III , ROUSSEV V III . Massive threading:using GPUs to increase the performance of digital forensics tools[J]. Digital Investigation, 2007,4: 73-81. |
[30] | AL-SHARIF Z A , AL-KHALEE A Y , AL-SALEH M I ,et al. Carving and clustering files in ram for memory forensics[J]. Far East Journal of Electronics and Communications, 2018,18(5): 695-722. |
[31] | The Honeynet Project. Challenge 3-banking troubles[R]. 2010. |
[1] | 杜小妮, 王香玉, 梁丽芳, 李锴彬. 轻量级分组密码Piccolo的量子密码分析[J]. 通信学报, 2023, 44(6): 175-182. |
[2] | 郑震, 严迎建, 蔡爵嵩, 刘燕江. 基于双样本KS检验的非特定TVLA方法[J]. 通信学报, 2023, 44(5): 137-147. |
[3] | 冯涛, 陈李秋, 方君丽, 石建明. 基于本地化差分隐私和属性基可搜索加密的区块链数据共享方案[J]. 通信学报, 2023, 44(5): 224-233. |
[4] | 周大成, 陈鸿昶, 何威振, 程国振, 扈红超. 基于深度强化学习的微服务多维动态防御策略研究[J]. 通信学报, 2023, 44(4): 50-63. |
[5] | 唐明, 胡一凡. Load-to-store: store buffer暂态窗口时间泄露的利用[J]. 通信学报, 2023, 44(4): 64-77. |
[6] | 李玮, 刘春, 谷大武, 孙文倩, 高建宁, 秦梦洋. Saturnin-Short轻量级认证加密算法的统计无效故障分析[J]. 通信学报, 2023, 44(4): 167-175. |
[7] | 刘玉玲, 王翠林, 付章杰. 语义空间下基于情感表达的生成式文本隐写方法[J]. 通信学报, 2023, 44(4): 176-186. |
[8] | 胡柏吉, 张晓娟, 李元诚, 赖荣鑫. 支持多功能的V2G网络隐私保护数据聚合方案[J]. 通信学报, 2023, 44(4): 187-200. |
[9] | 范伟, 彭诚, 朱大立, 王雨晴. 移动边缘计算网络下基于静态贝叶斯博弈的入侵响应策略研究[J]. 通信学报, 2023, 44(2): 70-81. |
[10] | 黄冬艳, 李琨. 多地址的时间型区块链隐蔽通信方法研究[J]. 通信学报, 2023, 44(2): 148-159. |
[11] | 张淑芬, 董燕灵, 徐精诚, 王豪石. 基于目标扰动的AdaBoost算法[J]. 通信学报, 2023, 44(2): 198-209. |
[12] | 王圣宝, 周鑫, 文康, 翁柏森. 适用于智能电网的三方认证密钥交换协议[J]. 通信学报, 2023, 44(2): 210-218. |
[13] | 韩益亮, 郭凯阳, 吴日铭, 刘凯. 格上基于OBDD访问结构的抗密钥滥用属性加密方案[J]. 通信学报, 2023, 44(1): 75-88. |
[14] | 夏超, 刘亚奇, 关晴骁, 金鑫, 张艳硕, 许盛伟. 基于非线性残差的JPEG图像隐写分析[J]. 通信学报, 2023, 44(1): 142-152. |
[15] | 付晓东, 漆鑫鑫, 刘骊, 彭玮, 丁家满, 代飞. 基于权力指数的DPoS共谋攻击检测与预防[J]. 通信学报, 2022, 43(12): 123-133. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|