Physical Memory Forensics System and Method

US 20140032875A1
Filed: 07/27/2012
Published: 01/30/2014
Est. Priority Date: 07/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method to determine whether a computer system has been compromised, the method comprising the steps of:

traversing a virtual address descriptor to acquire complete process data; and

reconstructing mapped binary data based on the acquired complete process data.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The method of the present inventive concept is configured to utilize Operating System data structures related to memory-mapped binaries to reconstruct processes. These structures provide a system configured to facilitate the acquisition of data that traditional memory analysis tools fail to identify, including by providing a system configured to traverse a virtual address descriptor, determine a pointer to a control area, traverse a PPTE array, copy binary data identified in the PPTE array, generate markers to determine whether the binary data is compromised, and utilize the binary data to reconstruct a process.

Citations

22 Claims

1. A method to determine whether a computer system has been compromised, the method comprising the steps of:
- traversing a virtual address descriptor to acquire complete process data; and
  
  reconstructing mapped binary data based on the acquired complete process data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the traversing the virtual address descriptor includes (i) traversing at least one descendant lineage to a terminal node using at least one pointer and at least one node, and (ii) retrieving data associated with the at least one node.
  - 3. The method of claim 2, wherein the pointer is a SECTION_OBJECT_POINTER structure having (i) a first pointer named ImageSectionObject, (ii) a second pointer named DataSectionObject, and (iii) a third pointer named SharedCacheMap.
  - 4. The method of claim 1, further comprising:
    - generating at least one marker based on the binary data.
  - 5. The method of claim 4, wherein the marker is a set of hashes.
  - 6. The method of claim 4, further comprising:
    - comparing the at least one marker to another marker to determine whether a compromise exists within the system.
  - 7. The method of claim 6, wherein the another marker is based on binary data of known uncompromised data.
  - 8. The method of claim 7, wherein the another marker is a set of hashes.
  - 9. The method of claim 6, further comprising:
    - determining whether the binary data is compromised based on the comparison.
  - 10. The method of claim 1, further comprising:
    - executing a hashing process to produce a plurality of hash values based on the binary data;
      
      comparing the plurality of hash values with a set of control values and producing a result; and
      
      determining whether the binary data is compromised based on the result.
  - 11. The method of claim 1, wherein the step of traversing the virtual address descriptor is executed when a virtual address causes a page fault.

12. A method of reconstructing a process, the method comprising the steps of:
- traversing a virtual address descriptor to acquire complete process data; and
  
  reconstructing mapped binary data based on the acquired complete process data.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the traversing the virtual address descriptor includes (i) traversing at least one descendant lineage to a terminal node using at least one pointer and at least one node, and (ii) retrieving data associated with the at least one node.
  - 14. The method of claim 13, wherein the pointer is a SECTION_OBJECT_POINTER structure having (i) a first pointer named ImageSectionObject, (ii) a second pointer named DataSectionObject, and (iii) a third pointer named SharedCacheMap.
  - 15. The method of claim 12, further comprising:
    - generating at least one marker based on the binary data.
  - 16. The method of claim 15, wherein the marker is a set of hashes.
  - 17. The method of claim 15, further comprising:
    - comparing the at least one marker to another marker to determine whether a compromise exists within the system.
  - 18. The method of claim 17, wherein the another marker is based on binary data of known uncompromised data.
  - 19. The method of claim 18, wherein the another marker is a set of hashes.
  - 20. The method of claim 17, further comprising:
    - determining whether the binary data is compromised based on the comparison.
  - 21. The method of claim 12, further comprising:
    - executing a hashing process to produce a plurality of hash values based on the binary data;
      
      comparing the plurality of hash values with a set of control values and producing a result; and
      
      determining whether the binary data is compromised based on the result.
  - 22. The method of claim 13, wherein the step of traversing the virtual address descriptor is executed when a virtual address causes a page fault.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Butler, James

Granted Patent

US 9,268,936 B2
Time in Patent Office

Days
Field of Search
US Class Current

711/208
CPC Class Codes

G06F 12/10   Address translation

G06F 21/554   involving event detection a...

G06F 21/64   Protecting data integrity, ...

Physical Memory Forensics System and Method

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Physical Memory Forensics System and Method

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links