Physical memory forensics system and method
First Claim
Patent Images
1. A method to determine whether a computer system has been compromised, the method comprising the steps of:
- traversing a virtual address descriptor to acquire process data;
reconstructing mapped data based on the acquired process data;
storing the mapped data via a memory of a system, andtraversing a virtual address control block to recover a file from a memory cache if (i) a page table entry is invalid, and (ii) a valid data length related to the file is not determined to be greater than a size of the file,wherein,the mapped data is obtained when a virtual address causes a page fault, andthe page fault triggers the system to execute a process to automatically acquire the mapped data.
10 Assignments
0 Petitions
Accused Products
Abstract
The method of the present inventive concept is configured to utilize Operating System data structures related to memory-mapped binaries to reconstruct processes. These structures provide a system configured to facilitate the acquisition of data that traditional memory analysis tools fail to identify, including by providing a system configured to traverse a virtual address descriptor, determine a pointer to a control area, traverse a PPTE array, copy binary data identified in the PPTE array, generate markers to determine whether the binary data is compromised, and utilize the binary data to reconstruct a process.
-
Citations
18 Claims
-
1. A method to determine whether a computer system has been compromised, the method comprising the steps of:
-
traversing a virtual address descriptor to acquire process data; reconstructing mapped data based on the acquired process data; storing the mapped data via a memory of a system, and traversing a virtual address control block to recover a file from a memory cache if (i) a page table entry is invalid, and (ii) a valid data length related to the file is not determined to be greater than a size of the file, wherein, the mapped data is obtained when a virtual address causes a page fault, and the page fault triggers the system to execute a process to automatically acquire the mapped data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of reconstructing a process using a computer system, the method comprising the steps of:
-
traversing a virtual address descriptor to acquire process data; reconstructing mapped data based on the acquired process data; storing the mapped data via a memory of the computer system, and traversing a virtual address control block to recover a file from a memory cache if (i) a page table entry is invalid, and (ii) a valid data length related to the file is not determined to be greater than a size of the file, wherein, the mapped data is obtained when a virtual address causes a page fault, and the page fault triggers the computer system to execute a process to automatically acquire the mapped data. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
Specification