×

Physical memory forensics system and method

  • US 9,268,936 B2
  • Filed: 07/27/2012
  • Issued: 02/23/2016
  • Est. Priority Date: 07/27/2012
  • Status: Active Grant
First Claim
Patent Images

1. A method to determine whether a computer system has been compromised, the method comprising the steps of:

  • traversing a virtual address descriptor to acquire process data;

    reconstructing mapped data based on the acquired process data;

    storing the mapped data via a memory of a system, andtraversing a virtual address control block to recover a file from a memory cache if (i) a page table entry is invalid, and (ii) a valid data length related to the file is not determined to be greater than a size of the file,wherein,the mapped data is obtained when a virtual address causes a page fault, andthe page fault triggers the system to execute a process to automatically acquire the mapped data.

View all claims
  • 10 Assignments
Timeline View
Assignment View
    ×
    ×