System and Method for Forensic Identification of Elements Within a Computer System

US 20100030996A1
Filed: 08/01/2008
Published: 02/04/2010
Est. Priority Date: 08/01/2008
Status: Active Grant

First Claim

Patent Images

1. A method of forensically analyzing data comprising:

accessing a plurality of values representing data contained within a memory of a computer system;

searching the plurality of values for a first identifying characteristic that indicates an operating system;

upon finding the first identifying characteristic, searching for a second characteristic that indicates an operating system;

analyzing the distance within the memory of the computer system between the first identifying characteristic and the second identifying characteristic; and

determining, from the distance, a type and a version of an operating system loaded into the computer system'"'"'s memory.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for employing memory forensic techniques to determine operating system type, memory management configuration, and virtual machine status on a running computer system. The techniques apply advanced techniques in a fashion to make them usable and accessible by Information Technology professionals that may not necessarily be versed in the specifics of memory forensic methodologies and theory.

Citations

19 Claims

1. A method of forensically analyzing data comprising:
- accessing a plurality of values representing data contained within a memory of a computer system;
  
  searching the plurality of values for a first identifying characteristic that indicates an operating system;
  
  upon finding the first identifying characteristic, searching for a second characteristic that indicates an operating system;
  
  analyzing the distance within the memory of the computer system between the first identifying characteristic and the second identifying characteristic; and
  
  determining, from the distance, a type and a version of an operating system loaded into the computer system'"'"'s memory.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein accessing a plurality of values further comprises retrieving data directly from one or more memory components contained within the computer system.
  - 3. The method of claim 1 wherein accessing a plurality of values further comprises reading an input stream from a persistent storage device.
  - 4. The method of claim 3 wherein reading an input stream further comprises reading a file from a hard drive of a computer system.
  - 5. The method of claim 1 wherein the first identifying characteristic comprises a value that indicates a start of a known process.

6. The method of claim 6 wherein the known process is the ‘
- System’
  
  process.

7. The method of claim 7 wherein the value that indicates the start of the ‘
- System’
  
  process is ‘
  
  System0000000000’
  
  .

8. A method of forensically analyzing data comprising:
- accessing a plurality of values representing data contained within a memory of a computer system;
  
  searching the plurality of values for one or more identifying characteristics that indicate a system structure used for memory management;
  
  determining the addresses in the memory corresponding to the values of the one or more identifying characteristics; and
  
  analyzing the structure of addresses to identify one or more methods for memory management in use within the computer system.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 wherein accessing a plurality of values further comprises retrieving data directly from one or more memory components contained within the computer system.
  - 10. The method of claim 8 wherein accessing a plurality of values further comprises reading an input stream from a persistent storage device.
  - 11. The method of claim 10 wherein reading an input stream further comprises reading a file from a hard drive of a computer system.
  - 12. The method of claim 8 wherein an identifying characteristic is at least one of a page directory, a page directory pointer, a page directory entry, a page table, a page entry, and an offset.
  - 13. The method of claim 12 further comprising:
    - identifying a page directory within the memory;
      
      examining a page directory value contained within the page directory; and
      
      determining whether a known addressing scheme is in use within the memory based on whether the page directory value exceeds a limit.
  - 14. The method of claim 13 wherein the known addressing scheme is physical address extension and the limit is a value equal to a maximum page size.

15. A method of analyzing data comprising:
- accessing a plurality of values representing data contained within a memory of a computer system;
  
  searching the plurality of values for one or more identifying characteristics that indicate a virtual system; and
  
  analyzing at least one process corresponding to the one or more identifying characteristics to determine if the process is running on at least one of computer hardware and a virtual environment.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15 wherein accessing a plurality of values further comprises retrieving data directly from one or more memory components contained within the computer system.
  - 17. The method of claim 15 wherein accessing a plurality of values further comprises reading an input stream from a persistent storage device.
  - 18. The method of claim 17 wherein reading an input stream further comprises reading a file from a hard drive of a computer system.
  - 19. The method of claim 15 wherein the one or more identifying characteristics comprises structures used for memory management.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
Mandiant, Inc. (Alphabet Inc.)
Inventors
Butler, James Robert II

Granted Patent

US 8,881,271 B2
Time in Patent Office

Days
Field of Search
US Class Current

711/200
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

System and Method for Forensic Identification of Elements Within a Computer System

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Forensic Identification of Elements Within a Computer System

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links