基于结构链逆向的内存碎片文件雕刻算法

doi:10.11959/j.issn.1000-436x.2021143

通信学报 ›› 2021, Vol. 42 ›› Issue (7): 117-127.doi: 10.11959/j.issn.1000-436x.2021143

基于结构链逆向的内存碎片文件雕刻算法

李炳龙, 周振宇, 张宇, 张和禹, 常朝稳

信息工程大学密码工程学院，河南郑州 450001

修回日期:2021-03-01 出版日期:2021-07-25 发布日期:2021-07-01
作者简介:李炳龙（1974− ），男，河南卫辉人，博士，信息工程大学副教授、硕士生导师，主要研究方向为数字调查与取证、网络入侵溯源追踪与取证、云计算取证、智能手机取证等
周振宇（1976− ），男，河南太康人，博士，信息工程大学副教授，主要研究方向为信息安全
张宇（1996− ），男，江苏连云港人，信息工程大学硕士生，主要研究方向为智能手机取证
张和禹（1998− ），男，河南南阳人，信息工程大学硕士生，主要研究方向为内存取证
常朝稳（1966− ），男，河南滑县人，博士，信息工程大学教授、博士生导师，主要研究方向为移动信息安全、物联网安全
基金资助:
国家自然科学基金资助项目(60903220)

Memory fragment file carving algorithm based on the reverse of the structure chain

Binglong LI, Zhenyu ZHOU, Yu ZHANG, Heyu ZHANG, Chaowen CHANG

Cryptography Engineering Academy, Information Engineering University, Zhengzhou 450001, China

Revised:2021-03-01 Online:2021-07-25 Published:2021-07-01
Supported by:
The National Natural Science Foundation of China(60903220)

摘要/Abstract

摘要：

为解决内存映像中碎片证据文件提取问题，针对doc、pdf等常见文件类型，提出了一种基于内存映像的碎片文件雕刻模型。基于该模型，设计了基于文件对象结构链逆向的碎片文件雕刻算法，能够获取遗留在内存中的文件数据。实验结果表明，该算法能够成功从内存映像中雕刻出文件相关的元数据信息，例如文件名、文件来源及操作行为等，雕刻精确度达到 100%；而且在典型应用情况下，文件内容数据雕刻精度达到 87.5％，远高于基于磁盘文件雕刻算法的精确度。

关键词: 文件雕刻, 内存取证, 内存碎片, 碎片连接, 结构逆向

Abstract:

To address the extraction of document evidence for doc, pdf, and other common file types in the memory image, the model of fragment file carving based on memory image was proposed.Then, on the basis of the model, the fragment file carving algorithm based on the reverse of file object structure chain was designed and implemented, the algorithm was able to get file data left behind in the memory image file.The experimental results show that the proposed algorithm can successfully carve out of memory file’s metadata, and the accuracy is 100%, and in a typical application case, the accuracy of the algorithm for memory file can achieve 87.5%, far higher than disk-based file caving algorithm.

Key words: file carving, memory forensics, memory fragment, fragment adjacent, structure reverse

中图分类号:

TP309

李炳龙, 周振宇, 张宇, 张和禹, 常朝稳. 基于结构链逆向的内存碎片文件雕刻算法[J]. 通信学报, 2021, 42(7): 117-127.

Binglong LI, Zhenyu ZHOU, Yu ZHANG, Heyu ZHANG, Chaowen CHANG. Memory fragment file carving algorithm based on the reverse of the structure chain[J]. Journal on Communications, 2021, 42(7): 117-127.

图/表 10

图1

图2

图3

图4

表1

表2

表3

表4

表5

图5

参考文献 31

[1]	SERVIDA F , CASEY E . IoT forensic challenges and opportunities for digital traces[J]. Digital Investigation, 2019,28: 22-29.
[2]	SUDHAKAR ， KUMAR S . An emerging threat Fileless malware:a survey and research challenges[J]. Cybersecurity, 2020,3(1): 1-12.
[3]	The Internet Crime Complaint Center. 2019 Internet crime report[R]. 2019.
[4]	McAfee Labs. 2019 threats report[R]. 2019.
[5]	CAVIGLIONE L , WENDZE S , MAZURCZKY W . The future of digital forensics:challenges and the road ahead[J]. IEEE Security ＆Privacy, 2017,15(6): 12-17.
[6]	XIAO T , XU M , XU J . Acquisiting text documents opened by notepad from Windows7 RAM image[J]. Journal of Computational Information Systems, 2014,10(16): 7117-7124.
[7]	PATEL A , MISTRY N . An analyzing of different techniques and tools to recover data from volatile memory[J]. International Journal for Scientific Research ＆ Development, 2013,1(2): 227-233.
[8]	NUR A , MOHAMAD K , HASHEEM Y . Corrupted MP4 carving using MP4-Karver[J]. International Journal of Advanced Computer Science and Applications, 2016,7(3): 88-93.
[9]	CARRIER B D , GRAND J . A hardware-based memory acquisition procedure for digital investigations[J]. Digital Investigation, 2004,1(1): 50-60.
[10]	MULLAN P , RIESS C , FREILING F . Forensic source identification using JPEG image headers:the case of smartphones[J]. Digital Investigation, 2019,28: 68-76.
[11]	BAHJAT A A , JONES J . Deleted file fragment dating by analysis of allocated neighbors[J]. Digital Investigation, 2019,28: 60-67.
[12]	KORNBLUM J D . Using every part of the buffalo in Windows memory analysis[J]. Digital Investigation, 2007,4(1): 24-29.
[13]	DOLAN-GAVITT B . The VAD tree:a process-eye view of physical memory[J]. Digital Investigation, 2007,4: 62-64.
[14]	VAN-BAAR R B , ALINK W , VAN-BALLEGOOIJ A R , . Forensic memory analysis:files mapped in memory[J]. Digital Investigation, 2008,5: 52-57.
[15]	QUICK D , CHOO K K R . Impacts of increasing volume of digital forensic data:a survey and future research challenges[J]. Digital Investigation, 2014,11(4): 273-294.
[16]	GAO Y H , CAO T J . Memory forensics for QQ from a live system[J]. Journal of Computers, 2010,5(4): 541-548.
[17]	PETRONI N L , WALTERS A , FRASER T ,et al. FATKit:a framework for the extraction and analysis of digital forensic data from volatile system memory[J]. Digital Investigation, 2006,3(4): 197-210.
[18]	马庆杰, 李炳龙, 位丽娜 . 基于SQLite内容雕刻的恢复技术[J]. 计算机应用, 2017,37(2): 392-396.
	MA Q J , LI B L , WEI L N . File recovery based on SQlite content carving[J]. Journal of Computer Applications, 2017,37(2): 392-396.
[19]	高元照, 李炳龙, 陈性元 . 基于MapReduce的HDFS数据窃取随机检测算法[J]. 通信学报, 2018,39(10): 11-21.
	GAO Y Z , LI B L , CHEN X Y . Stochastic algorithm for HDFS data theft detection based on MapReduce[J]. Journal on Communications, 2018,39(10): 11-21.
[20]	V?MEL S , FREILING F C . Correctness,atomicity,and integrity:defining criteria for forensically-sound memory acquisition[J]. Digital Investigation, 2012,9(2): 125-137.
[21]	HEO H S , SO B M , YANG I H ,et al. Automated recovery of damaged audio files using deep neural networks[J]. Digital Investigation, 2019,30: 117-126.
[22]	高元照, 李炳龙, 吴熙曦 . 基于物理内存的注册表逆向重建取证分析算法[J]. 山东大学学报(理学版), 2016,51(9): 127-136.
	GAO Y Z , LI B L , WU X X . A forensic analysis algorithm of registry reverse reconstruction based on physical memory[J]. Journal of Shan-dong University (Natural Science), 2016,51(9): 127-136.
[23]	KHILOSIYA B , MAKADIYA K . Malware analysis and using memory forensic[J]. Multidisciplinary International Research Journal of Gujarat Technological University, 2020,2(2): 106-117.
[24]	SCHUSTER A . Searching for processes and threads in Microsoft Windows memory dumps[J]. Digital Investigation, 2006,3: 10-16.
[25]	SALAVE P , WAKDIKAR A . Memory forensics:tools comparison[J]. International Journal of Science and Research, 2017,6(6): 5-8.
[26]	COHEN M . Scanning memory with Yara[J]. Digital Investigation, 2017,20: 34-43.
[27]	OKOLICA J , PETERSON G L . Windows operating systems agnostic memory analysis[J]. Digital Investigation, 2010,7: 48-56.
[28]	GS StatCounter . Desktop Windows version market share worldwide[R]. 2020.
[29]	MARZIALE L , RICHARD G G III , ROUSSEV V III . Massive threading:using GPUs to increase the performance of digital forensics tools[J]. Digital Investigation, 2007,4: 73-81.
[30]	AL-SHARIF Z A , AL-KHALEE A Y , AL-SALEH M I ,et al. Carving and clustering files in ram for memory forensics[J]. Far East Journal of Electronics and Communications, 2018,18(5): 695-722.
[31]	The Honeynet Project. Challenge 3-banking troubles[R]. 2010.

文件	doc/B	pdf/B	txt/B	jpg/B
f0	24 064	51 618	32	14 717
f1	26 112	66 067	698	60 019
f2	26 624	86 311	747	97 788
f3	27 136	138 276	778	122 854
f4	28 160	145 813	997	141 963
f5	39 424	159 331	3 917	226 174
f6	81 920	212 392	15 127	360 907
f7	118 784	272 669	24 154	421 069
f8	189 952	397 519	24 564	2 599 419
f9	233 984	2 173 636	318 997	6 523 649

文件类型	本文方法		Scalpel 1.60
文件类型	元数据	文件内容	元数据	文件内容
jpg	√	√	×	×
doc	√	√	×	×
pdf	√	√	×	×
txt	√	√	×	√×

文件类型	本文方法		Scalpel 1.60
文件类型	元数据/个	文件/个	元数据/个	文件/个
doc	10	2	0	0
pdf	10	1	0	0
txt	10	10	0	0
jpg	10	4	0	1
平均精确度	100%	42.5％	0	2.5％

实验	本文算法		文献[30]算法
实验	元数据/个	文件/个	元数据/个	文件/个
实验1	10	10	0	5
实验2	10	8	0	4
实验3	10	1	0	2
精确度	100%	63.3%	0	36.7%

基于结构链逆向的内存碎片文件雕刻算法

Memory fragment file carving algorithm based on the reverse of the structure chain

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 31

相关文章 15

Metrics

推荐阅读 0

[1]	杜小妮, 王香玉, 梁丽芳, 李锴彬. 轻量级分组密码Piccolo的量子密码分析[J]. 通信学报, 2023, 44(6): 175-182.
[2]	郑震, 严迎建, 蔡爵嵩, 刘燕江. 基于双样本KS检验的非特定TVLA方法[J]. 通信学报, 2023, 44(5): 137-147.
[3]	冯涛, 陈李秋, 方君丽, 石建明. 基于本地化差分隐私和属性基可搜索加密的区块链数据共享方案[J]. 通信学报, 2023, 44(5): 224-233.
[4]	周大成, 陈鸿昶, 何威振, 程国振, 扈红超. 基于深度强化学习的微服务多维动态防御策略研究[J]. 通信学报, 2023, 44(4): 50-63.
[5]	唐明, 胡一凡. Load-to-store: store buffer暂态窗口时间泄露的利用[J]. 通信学报, 2023, 44(4): 64-77.
[6]	李玮, 刘春, 谷大武, 孙文倩, 高建宁, 秦梦洋. Saturnin-Short轻量级认证加密算法的统计无效故障分析[J]. 通信学报, 2023, 44(4): 167-175.
[7]	刘玉玲, 王翠林, 付章杰. 语义空间下基于情感表达的生成式文本隐写方法[J]. 通信学报, 2023, 44(4): 176-186.
[8]	胡柏吉, 张晓娟, 李元诚, 赖荣鑫. 支持多功能的V2G网络隐私保护数据聚合方案[J]. 通信学报, 2023, 44(4): 187-200.
[9]	范伟, 彭诚, 朱大立, 王雨晴. 移动边缘计算网络下基于静态贝叶斯博弈的入侵响应策略研究[J]. 通信学报, 2023, 44(2): 70-81.
[10]	黄冬艳, 李琨. 多地址的时间型区块链隐蔽通信方法研究[J]. 通信学报, 2023, 44(2): 148-159.
[11]	张淑芬, 董燕灵, 徐精诚, 王豪石. 基于目标扰动的AdaBoost算法[J]. 通信学报, 2023, 44(2): 198-209.
[12]	王圣宝, 周鑫, 文康, 翁柏森. 适用于智能电网的三方认证密钥交换协议[J]. 通信学报, 2023, 44(2): 210-218.
[13]	韩益亮, 郭凯阳, 吴日铭, 刘凯. 格上基于OBDD访问结构的抗密钥滥用属性加密方案[J]. 通信学报, 2023, 44(1): 75-88.
[14]	夏超, 刘亚奇, 关晴骁, 金鑫, 张艳硕, 许盛伟. 基于非线性残差的JPEG图像隐写分析[J]. 通信学报, 2023, 44(1): 142-152.
[15]	付晓东, 漆鑫鑫, 刘骊, 彭玮, 丁家满, 代飞. 基于权力指数的DPoS共谋攻击检测与预防[J]. 通信学报, 2022, 43(12): 123-133.