Physical Memory Forensics System and Method
First Claim
1. A method to determine whether a computer system has been compromised, the method comprising the steps of:
- traversing a virtual address descriptor to acquire complete process data; and
reconstructing mapped binary data based on the acquired complete process data.
10 Assignments
0 Petitions
Accused Products
Abstract
The method of the present inventive concept is configured to utilize Operating System data structures related to memory-mapped binaries to reconstruct processes. These structures provide a system configured to facilitate the acquisition of data that traditional memory analysis tools fail to identify, including by providing a system configured to traverse a virtual address descriptor, determine a pointer to a control area, traverse a PPTE array, copy binary data identified in the PPTE array, generate markers to determine whether the binary data is compromised, and utilize the binary data to reconstruct a process.
-
Citations
22 Claims
-
1. A method to determine whether a computer system has been compromised, the method comprising the steps of:
-
traversing a virtual address descriptor to acquire complete process data; and reconstructing mapped binary data based on the acquired complete process data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of reconstructing a process, the method comprising the steps of:
-
traversing a virtual address descriptor to acquire complete process data; and reconstructing mapped binary data based on the acquired complete process data. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification