Physical memory forensics system and method

US 9,268,936 B2
Filed: 07/27/2012
Issued: 02/23/2016
Est. Priority Date: 07/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method to determine whether a computer system has been compromised, the method comprising the steps of:

traversing a virtual address descriptor to acquire process data;

reconstructing mapped data based on the acquired process data;

storing the mapped data via a memory of a system, andtraversing a virtual address control block to recover a file from a memory cache if (i) a page table entry is invalid, and (ii) a valid data length related to the file is not determined to be greater than a size of the file,wherein,the mapped data is obtained when a virtual address causes a page fault, andthe page fault triggers the system to execute a process to automatically acquire the mapped data.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The method of the present inventive concept is configured to utilize Operating System data structures related to memory-mapped binaries to reconstruct processes. These structures provide a system configured to facilitate the acquisition of data that traditional memory analysis tools fail to identify, including by providing a system configured to traverse a virtual address descriptor, determine a pointer to a control area, traverse a PPTE array, copy binary data identified in the PPTE array, generate markers to determine whether the binary data is compromised, and utilize the binary data to reconstruct a process.

Citations

18 Claims

1. A method to determine whether a computer system has been compromised, the method comprising the steps of:
- traversing a virtual address descriptor to acquire process data;
  
  reconstructing mapped data based on the acquired process data;
  
  storing the mapped data via a memory of a system, andtraversing a virtual address control block to recover a file from a memory cache if (i) a page table entry is invalid, and (ii) a valid data length related to the file is not determined to be greater than a size of the file,wherein,the mapped data is obtained when a virtual address causes a page fault, andthe page fault triggers the system to execute a process to automatically acquire the mapped data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the traversing the virtual address descriptor includes (i) traversing at least one descendant lineage to a terminal node using at least one pointer and at least one node, and (ii) retrieving data associated with the at least one node.
  - 3. The method of claim 2, wherein the pointer is a SECTION_OBJECT_POINTER structure having (i) a first pointer named ImageSectionObject, (ii) a second pointer named DataSectionObject, and (iii) a third pointer named SharedCacheMap.
  - 4. The method of claim 1, further comprising the step of:
    - generating, via a processor of the system, at least one marker based on the mapped data.
  - 5. The method of claim 4, wherein the marker is a set of hashes.
  - 6. The method of claim 4, further comprising the step of:
    - comparing, vit the processor, the at least one marker to another marker to determine whether a compromise exists within the system.
  - 7. The method of claim 6, wherein the another marker is based on binary data of known uncompromised data.
  - 8. The method of claim 7, wherein the another marker is a set of hashes.
  - 9. The method of claim 6, further comprising the step of:
    - determining whether the mapped data is compromised based on the comparison.
  - 10. The method of claim 1, further comprising the step of:
    - executing a hashing process to produce a plurality of hash values based on the mapped data;
      
      comparing the plurality of hash values with a set of control values and producing a result; and
      
      determining whether the mapped data is compromised based on the result.

11. A method of reconstructing a process using a computer system, the method comprising the steps of:
- traversing a virtual address descriptor to acquire process data;
  
  reconstructing mapped data based on the acquired process data;
  
  storing the mapped data via a memory of the computer system, andtraversing a virtual address control block to recover a file from a memory cache if (i) a page table entry is invalid, and (ii) a valid data length related to the file is not determined to be greater than a size of the file,wherein,the mapped data is obtained when a virtual address causes a page fault, andthe page fault triggers the computer system to execute a process to automatically acquire the mapped data.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein the traversing the virtual address descriptor includes (i) traversing at least one descendant lineage to a terminal node using at least one pointer and at least one node, and (ii) retrieving data associated with the at least one node.
  - 13. The method of claim 12, wherein the pointer is a SECTION_OBJECT_POINTER structure having (i) a first pointer named ImageSectionObject, (ii) a second pointer named DataSectionObject, and (iii) a third pointer named SharedCacheMap.
  - 14. The method of claim 11, further comprising the step of:
    - generating, via a processor, at least one marker based on the mapped data,wherein,the marker is a set of hashes.
  - 15. The method of claim 14, further comprising the step of:
    - comparing, via the processor, the at least one marker to another marker to determine whether a compromise exists,wherein the another marker is based on binary data of known uncompromised data.
  - 16. The method of claim 15, wherein the another marker is a set of hashes.
  - 17. The method of claim 15, further comprising the step of:
    - determining whether the mapped data is compromised based on the comparison.
  - 18. The method of claim 11, further comprising the step of:
    - executing a hashing process to produce a plurality of hash values based on the mapped data;
      
      comparing the plurality of hash values with a set of control values and producing a result; and
      
      determining whether the mapped data is compromised based on the result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
Mandiant LLC (Alphabet Inc.)
Inventors
Butler, James
Primary Examiner(s)
Farrokh, Hashem

Application Number

US13/560,415
Publication Number

US 20140032875A1
Time in Patent Office

1,306 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 12/10   Address translation

G06F 21/554   involving event detection a...

G06F 21/64   Protecting data integrity, ...

Physical memory forensics system and method

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Physical memory forensics system and method

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links