System and method for forensic identification of elements within a computer system

US 8,881,271 B2
Filed: 08/01/2008
Issued: 11/04/2014
Est. Priority Date: 08/01/2008
Status: Active Grant

First Claim

Patent Images

1. A method of forensically analyzing data comprising:

accessing a plurality of values representing data contained within a memory of a computer system;

searching the plurality of values for a first identifying characteristic that indicates an operating system;

upon finding the first identifying characteristic, searching for a second identifying characteristic that indicates an operating system;

measuring a distance within the memory of the computer system between (i) the first identifying characteristic and (ii) the second identifying characteristic; and

determining, from the distance between (i) the first identifying characteristic and (ii) the second identifying characteristic, a type and a version of an operating system loaded into the computer system'"'"'s memory.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for employing memory forensic techniques to determine operating system type, memory management configuration, and virtual machine status on a running computer system. The techniques apply advanced techniques in a fashion to make them usable and accessible by Information Technology professionals that may not necessarily be versed in the specifics of memory forensic methodologies and theory.

Citations

21 Claims

1. A method of forensically analyzing data comprising:
- accessing a plurality of values representing data contained within a memory of a computer system;
  
  searching the plurality of values for a first identifying characteristic that indicates an operating system;
  
  upon finding the first identifying characteristic, searching for a second identifying characteristic that indicates an operating system;
  
  measuring a distance within the memory of the computer system between (i) the first identifying characteristic and (ii) the second identifying characteristic; and
  
  determining, from the distance between (i) the first identifying characteristic and (ii) the second identifying characteristic, a type and a version of an operating system loaded into the computer system'"'"'s memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein accessing a plurality of values further comprises retrieving data directly from one or more memory components contained within the computer system.
  - 3. The method of claim 1 wherein accessing a plurality of values further comprises reading an input stream from a persistent storage device.
  - 4. The method of claim 3 wherein reading an input stream further comprises reading a file from a hard drive of a computer system.
  - 5. The method of claim 1 wherein the first identifying characteristic comprises a value that indicates a start of a known process.
  - 6. The method of claim 5 wherein the known process is the ‘
    - System’
      
      process.
  - 7. The method of claim 6 wherein the value that indicates the start of the ‘
    - System”
      
      process is ‘
      
      System0000000000’
      
      .
  - 8. The method of claim 1, wherein the distance between the first identifying characteristic and the second identifying characteristic is measured in bytes.
  - 9. The method of claim 1, wherein the operating system is running on the computer system.

10. A method of forensically analyzing data comprising:
- accessing a plurality of values representing data contained within a memory of a computer system;
  
  searching the plurality of values for one or more identifying characteristics that indicate (i) an operating system running on the computer system, and (ii) a system structure used for memory management of the operating system running on the computer system;
  
  determining addresses in the memory corresponding to the plurality of values of the one or more identifying characteristics; and
  
  analyzing the system structure of the addresses to identify one or more methods for memory management in use within the computer system.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10 wherein accessing a plurality of values further comprises retrieving data directly from one or more memory components contained within the computer system.
  - 12. The method of claim 10 wherein accessing a plurality of values further comprises reading an input stream from a persistent storage device.
  - 13. The method of claim 12 wherein reading an input stream further comprises reading a file from a hard drive of a computer system.
  - 14. The method of claim 10 wherein the one or more identifying characteristics is at least one of a page directory, a page directory pointer, a page directory entry, a page table, a page entry, and an offset.
  - 15. The method of claim 14 further comprising:
    - identifying a page directory within the memory;
      
      examining a page directory value contained within the page directory; and
      
      determining whether a known addressing scheme is in use within the memory based on whether the page directory value exceeds a limit.
  - 16. The method of claim 15 wherein the known addressing scheme is a physical address extension and the limit is a value equal to a maximum page size.

17. A method of analyzing data comprising:
- accessing a plurality of values representing data contained within a memory of a computer system;
  
  searching the plurality of values for one or more identifying characteristics that indicate a virtual system; and
  
  analyzing at least one process corresponding to the one or more identifying characteristics to determine if the process is running on at least one of computer hardware and a virtual environment.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17 wherein accessing a plurality of values further comprises retrieving data directly from one or more memory components contained within the computer system.
  - 19. The method of claim 17 wherein accessing a plurality of values further comprises reading an input stream from a persistent storage device.
  - 20. The method of claim 19 wherein reading an input stream further comprises reading a file from a hard drive of a computer system.
  - 21. The method of claim 17 wherein the one or more identifying characteristics comprises structures used for memory management.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
Mandiant LLC (Alphabet Inc.)
Inventors
Butler, James Robert II
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US12/184,898
Publication Number

US 20100030996A1
Time in Patent Office

2,286 Days
Field of Search

726/22, 726/25, 713/165, 713/168, 713/187, 717/126, 717/131
US Class Current

726/22
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

System and method for forensic identification of elements within a computer system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for forensic identification of elements within a computer system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links