摘要
注册表结构重建与分析是Windows物理内存取证分析的重点和难点问题之一。首先通过分析注册表文件在硬盘中的逻辑特性,利用Windows系统调试工具分析注册表在内存中的数据结构特征,确立了在物理内存中定位注册表结构的方法;然后通过分析注册表项之间的树形关系,确定了注册表结构重建算法,并利用Graphviz可视化工具,设计出一种树形结构的可视化算法。实验结果表明,该算法能够实现对物理内存中注册表键名、键值信息的重建,基于获取的数据能够完成对系统中病毒的检测,并通过Graphviz可视化算法有效展示病毒感染系统的过程和结果。
The reconstruction and analysis of the registry is one of the most important and difficult aspects of the Windows physical memory forensics.By analyzing the logical structure of the registry files in the hard disk and exploring the data structure features of the registry in the physical memory based on the Windows debugging tools,we proposed a clear and definite method to locate the registry physical addresses in the memory.Furthermore,by analyzing the treestructured relationship between the entries of the registry,we designed a registry reconstruction algorithm and implemented a dendrogram visualization algorithm for the reconstructed registry based on Graphviz.The results of the experiment show that we can reconstruct of the names and values of the registry entries,retrieve the virus in the system based on the information we got,and finally display the process and results of the virus infection via the registry visualization.
出处
《山东大学学报(理学版)》
CAS
CSCD
北大核心
2016年第9期127-136,共10页
Journal of Shandong University(Natural Science)
基金
国家自然科学基金资助项目(60903220)
郑州市科技攻关项目(10PTGG3415)
关键词
注册表取证
物理内存
逆向分析
可视化
病毒检测
registry forensics
physical memory
reverse analysis
visualization
virus detection
