System and method for forensic identification of elements within a computer system
First Claim
Patent Images
1. A method of forensically analyzing data comprising:
- accessing a plurality of values representing data contained within a memory of a computer system;
searching the plurality of values for a first identifying characteristic that indicates an operating system;
upon finding the first identifying characteristic, searching for a second identifying characteristic that indicates an operating system;
measuring a distance within the memory of the computer system between (i) the first identifying characteristic and (ii) the second identifying characteristic; and
determining, from the distance between (i) the first identifying characteristic and (ii) the second identifying characteristic, a type and a version of an operating system loaded into the computer system'"'"'s memory.
11 Assignments
0 Petitions
Accused Products
Abstract
A system and method for employing memory forensic techniques to determine operating system type, memory management configuration, and virtual machine status on a running computer system. The techniques apply advanced techniques in a fashion to make them usable and accessible by Information Technology professionals that may not necessarily be versed in the specifics of memory forensic methodologies and theory.
-
Citations
21 Claims
-
1. A method of forensically analyzing data comprising:
-
accessing a plurality of values representing data contained within a memory of a computer system; searching the plurality of values for a first identifying characteristic that indicates an operating system; upon finding the first identifying characteristic, searching for a second identifying characteristic that indicates an operating system; measuring a distance within the memory of the computer system between (i) the first identifying characteristic and (ii) the second identifying characteristic; and determining, from the distance between (i) the first identifying characteristic and (ii) the second identifying characteristic, a type and a version of an operating system loaded into the computer system'"'"'s memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of forensically analyzing data comprising:
-
accessing a plurality of values representing data contained within a memory of a computer system; searching the plurality of values for one or more identifying characteristics that indicate (i) an operating system running on the computer system, and (ii) a system structure used for memory management of the operating system running on the computer system; determining addresses in the memory corresponding to the plurality of values of the one or more identifying characteristics; and analyzing the system structure of the addresses to identify one or more methods for memory management in use within the computer system. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A method of analyzing data comprising:
-
accessing a plurality of values representing data contained within a memory of a computer system; searching the plurality of values for one or more identifying characteristics that indicate a virtual system; and analyzing at least one process corresponding to the one or more identifying characteristics to determine if the process is running on at least one of computer hardware and a virtual environment. - View Dependent Claims (18, 19, 20, 21)
-
Specification