摘要
为解决内存映像中碎片证据文件提取问题,针对doc、pdf等常见文件类型,提出了一种基于内存映像的碎片文件雕刻模型。基于该模型,设计了基于文件对象结构链逆向的碎片文件雕刻算法,能够获取遗留在内存中的文件数据。实验结果表明,该算法能够成功从内存映像中雕刻出文件相关的元数据信息,例如文件名、文件来源及操作行为等,雕刻精确度达到100%;而且在典型应用情况下,文件内容数据雕刻精度达到87.5%,远高于基于磁盘文件雕刻算法的精确度。
To address the extraction of document evidence for doc,pdf,and other common file types in the memory im-age,the model of fragment file carving based on memory image was proposed.Then,on the basis of the model,the frag-ment file carving algorithm based on the reverse of file object structure chain was designed and implemented,the algo-rithm was able to get file data left behind in the memory image file.The experimental results show that the proposed al-gorithm can successfully carve out of memory file’s metadata,and the accuracy is 100%,and in a typical application case,the accuracy of the algorithm for memory file can achieve 87.5%,far higher than disk-based file caving algorithm.
作者
李炳龙
周振宇
张宇
张和禹
常朝稳
LI Binglong;ZHOU Zhenyu;ZHANG Yu;ZHANG Heyu;CHANG Chaowen(Cryptography Engineering Academy,Information Engineering University,Zhengzhou 450001,China)
出处
《通信学报》
EI
CSCD
北大核心
2021年第7期117-127,共11页
Journal on Communications
基金
国家自然科学基金资助项目(No.60903220)。
关键词
文件雕刻
内存取证
内存碎片
碎片连接
结构逆向
file carving
memory forensics
memory fragment
fragment adjacent
structure reverse
