期刊文献+

基于内存中的网络传输数据结构获取电子数据

Acquisition of Digital Evidence from the Data Structure of Network Transmission in RAM
下载PDF
导出
摘要 电子数据取证实践中,获取嫌疑人进行网络信息传输涉及的IP地址、端口号、MAC地址以及对应进程信息,有助于全面深入揭示嫌疑人网络犯罪行为。基于IPv4首部、sockaddr_in、_TCPT_OBJECT、Ethernet V2标准MAC帧等四种数据结构于内存中的具体格式,归纳总结用于定位相关结构的特征关键字,同时通过实例说明提取网络传输电子证据的方法,并对过程中涉及的具体技术与注意事项予以阐述。电子数据取证实践证明,所述方法准确高效。 In the practice of computer forensics,it is very helpful to acquire the information of IP address,port number,MAC address and PID for revealing network crimes.Based on the structures of head of IPv4,sockaddr_in,_TCPT_OBJECT and MAC frame in RAM,this paper concluded the characteristic signatures for locating the related structure in RAM,and illustrated the method for acquiring the digital evidence from network transmission by examples.The specific techniques and precautions were elaborated as well.The method is proved to be accurate and efficient in the real digital investigation.
出处 《中国司法鉴定》 2013年第2期76-79,共4页 Chinese Journal of Forensic Sciences
关键词 内存 数据结构 IPv4首部 sockaddr_in _TCPT_OBJECT MAC帧 RAM data structure head of IPv4 sockaddr_in _TCPT_OBJECT MAC frame
  • 相关文献

参考文献6

  • 1Carvey H.Windows forensic analysis[M]. US : Syngress, 2008 : 256-371.
  • 2Robert Beverly, Simson Garfinkel, Greg Cardwell. Forensic carving of network packets and associated data structures[J]. Digital Investigation, 2011, (8) :78-89.
  • 3Homig C. A standard for the transmission of IP datagrams over ethemet networks[Z]. RFC 1042,1988.
  • 4Dolan-Gavitt Brendan, Srivastava Abhinav, Traynor Patrick, et al. Robust signatures for kernel data structures. In:Pro- ceedings of the 16th ACM conference on Computer and com- munications security[D]. CCS'09, New York, USA,2009: 566-577.
  • 5Postel J. Intemet protocol[Z]. RFC 791. 1981.
  • 6Walters A, Petroni N. Volatools: Integrating volatile memory forensics into the digital investigation process[J]. In: Black Hat DC 2007: 1-15.

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部