System and Method for Forensic Identification of Elements Within a Computer System
First Claim
Patent Images
1. A method of forensically analyzing data comprising:
- accessing a plurality of values representing data contained within a memory of a computer system;
searching the plurality of values for a first identifying characteristic that indicates an operating system;
upon finding the first identifying characteristic, searching for a second characteristic that indicates an operating system;
analyzing the distance within the memory of the computer system between the first identifying characteristic and the second identifying characteristic; and
determining, from the distance, a type and a version of an operating system loaded into the computer system'"'"'s memory.
11 Assignments
0 Petitions
Accused Products
Abstract
A system and method for employing memory forensic techniques to determine operating system type, memory management configuration, and virtual machine status on a running computer system. The techniques apply advanced techniques in a fashion to make them usable and accessible by Information Technology professionals that may not necessarily be versed in the specifics of memory forensic methodologies and theory.
-
Citations
19 Claims
-
1. A method of forensically analyzing data comprising:
-
accessing a plurality of values representing data contained within a memory of a computer system; searching the plurality of values for a first identifying characteristic that indicates an operating system; upon finding the first identifying characteristic, searching for a second characteristic that indicates an operating system; analyzing the distance within the memory of the computer system between the first identifying characteristic and the second identifying characteristic; and determining, from the distance, a type and a version of an operating system loaded into the computer system'"'"'s memory. - View Dependent Claims (2, 3, 4, 5)
-
-
6. The method of claim 6 wherein the known process is the ‘
- System’
process.
- System’
-
7. The method of claim 7 wherein the value that indicates the start of the ‘
- System’
process is ‘
System0000000000’
.
- System’
-
8. A method of forensically analyzing data comprising:
-
accessing a plurality of values representing data contained within a memory of a computer system; searching the plurality of values for one or more identifying characteristics that indicate a system structure used for memory management; determining the addresses in the memory corresponding to the values of the one or more identifying characteristics; and analyzing the structure of addresses to identify one or more methods for memory management in use within the computer system. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method of analyzing data comprising:
-
accessing a plurality of values representing data contained within a memory of a computer system; searching the plurality of values for one or more identifying characteristics that indicate a virtual system; and analyzing at least one process corresponding to the one or more identifying characteristics to determine if the process is running on at least one of computer hardware and a virtual environment. - View Dependent Claims (16, 17, 18, 19)
-
Specification