基于Volatility的内存信息调查方法研究

Research on the Method of RAM Investigation Based on Volatility

随着反取证技术的发展,调查人员越来越难于在磁盘介质中寻找到有价值的证据或线索。针对内存信息的调查分析研究由此成为计算机法庭科学领域日益关注的焦点。通过以内存调查取证开源软件Volatility为背景,从进程及DLL、内存及VAD、驱动程序及内核对象、网络连接与注册表等多个角度描述内存信息的调查方法,并结合实例说明所述方法在实际工作中的具体应用。

With the development of anti-forensics technology, it is more difficult to seek for valuable evidence or clues for investigators. Therefore, the research on RAM investigation has become a focus in the field of computer forensics. Based on open source software Volatility, which is used to investigate into RAM, this paper introduces the investigation mothod for RAM from the aspects of process and DLL, RAM and VAD, driver and kernel object, net connection and registry. This paper also introduces the specific applications of the method with actual examples.