基于物理内存的注册表逆向重建取证分析算法

doi:10.6040/j.issn.1671-9352.2.2015.140

山东大学学报（理学版） ›› 2016, Vol. 51 ›› Issue (9): 127-136.doi: 10.6040/j.issn.1671-9352.2.2015.140

基于物理内存的注册表逆向重建取证分析算法

高元照^1,2,李炳龙^1,2*,吴熙曦^1,2

1. 解放军信息工程大学四院, 河南郑州 450001;2. 数字工程与先进计算国家重点实验室, 河南郑州 450001

收稿日期:2015-09-21 出版日期:2016-09-20 发布日期:2016-09-23
通讯作者: 李炳龙(1974— ),男,副教授,研究方向为数字取证、信息系统容灾理论与技术.E-mail: lblc2006@163.com E-mail:1797272395@qq.com
作者简介:高元照(1992— ),男,硕士研究生,研究方向为数字取证.E-mail:1797272395@qq.com
基金资助:
国家自然科学基金资助项目(60903220);郑州市科技攻关项目(10PTGG3415)

A forensic analysis algorithm of registry reverse reconstruction based on physical memory

GAO Yuan-zhao^1,2, LI Bing-long^1,2*, WU Xi-xi^1,2

1. College Four of the PLA Information Engineering University, Zhengzhou 450001, Henan, China;
2. State Key Laboratory of Digital Engineering and Advanced Computing, Zhengzhou 450001, Henan, China

Received:2015-09-21 Online:2016-09-20 Published:2016-09-23

摘要/Abstract

摘要： 注册表结构重建与分析是Windows物理内存取证分析的重点和难点问题之一。首先通过分析注册表文件在硬盘中的逻辑特性,利用Windows系统调试工具分析注册表在内存中的数据结构特征,确立了在物理内存中定位注册表结构的方法;然后通过分析注册表项之间的树形关系,确定了注册表结构重建算法,并利用Graphviz可视化工具,设计出一种树形结构的可视化算法。实验结果表明,该算法能够实现对物理内存中注册表键名、键值信息的重建,基于获取的数据能够完成对系统中病毒的检测,并通过Graphviz可视化算法有效展示病毒感染系统的过程和结果。

关键词: 注册表取证, 可视化, 物理内存, 逆向分析, 病毒检测

Abstract: The reconstruction and analysis of the registry is one of the most important and difficult aspects of the Windows physical memory forensics. By analyzing the logical structure of the registry files in the hard disk and exploring the data structure features of the registry in the physical memory based on the Windows debugging tools, we proposed a clear and definite method to locate the registry physical addresses in the memory. Furthermore, by analyzing the tree-structured relationship between the entries of the registry, we designed a registry reconstruction algorithm and implemented a dendrogram visualization algorithm for the reconstructed registry based on Graphviz. The results of the experiment show that we can reconstruct of the names and values of the registry entries, retrieve the virus in the system based on the information we got, and finally display the process and results of the virus infection via the registry visualization.

Key words: registry forensics, reverse analysis, virus detection, visualization, physical memory

中图分类号:

TP311

高元照,李炳龙,吴熙曦. 基于物理内存的注册表逆向重建取证分析算法[J]. 山东大学学报（理学版）, 2016, 51(9): 127-136.

GAO Yuan-zhao, LI Bing-long, WU Xi-xi. A forensic analysis algorithm of registry reverse reconstruction based on physical memory[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2016, 51(9): 127-136.

参考文献

[1] AGHAEIKHEIRABADY M, FARSHCHI S M R, SHIRAZI H. A new approach to malware detection by comparative analysis of data structures in a memory image[C] // Proceedings of 2014 International Congress on Technology, Communication and Knowledge(ICTCK). Piscataway: IEEE, 2015: 1-4.
[2] RAMANI A, DEWANGAN S K. Digital forensic identification, collection, examination and decoding of windows registry keys for discovering user activities patterns [J]. International Journal of Computer Trends and Technology, 2014, 17(2):101-111.
[3] MESHRAM M G, KAPGATE D. Investigating the artifacts using windows registry and log files[J]. International Journal of Computer Science and Mobile Computing, 2015, 4:625-631.
[4] CARVEY H. The Windows registry as a forensic resource[J]. Digital Investigation, 2005, 2(3):201-205.
[5] SAIDI R M, AHMAD S, NOOR N M, et al. Windows registry analysis for forensic investigation[C] //Proceedings of 2013 International Conference on Technological Advances in Electrical, Electronics and Computer Engineering. New York: IEEE, 2013: 132-136.
[6] ROSE M. The forensic artifacts of Barracuda Networks cloud storage service [D]. Utica: Utica College, 2014.
[7] TANG Z, DING H, XU M, et al. Carving the windows registry files based on the internal structure [C] //Proceedings of the 1st International Conference on Information Science and Engineering(ICISE 2009). Piscataway: IEEE, 2009: 4788-4791.
[8] PAWAR P, KULKARNI P S. Security for windows registry using carving[J]. International Journal of Scientific and Research Publications, 2013, 3(4):786-788.
[9] ELLSON J, GANSNER E, KOUTSOFIOS L, et al. Graphviz—open source graph drawing tools[C] //Proceedings of the 9th International Symposium on Graph Drawing(GD 2001). Heidelberger: Springer-Verlag Berlin, 2002: 483-484.
[10] LEUBE C, KRÖGER K, CREUTZBURG R. Implementation of a forensic tool to examine the windows registry[C] //Proceedings of SPIE-The International Society for Optical Engineering. SPIE, 2014, 9030(2):271-283.
[11] ZHANG S, WANG L, ZHANG L. Extracting windows registry information from physical memory[C] //Proceedings of International Conference on Computer Research and Development(ICCRD). New York: IEEE, 2011: 85-89.
[12] DOLAN-GAVITT B. Forensic analysis of the windows registry in memory[J]. Digital Investigation, 2008, 5:S26-S32.
[13] GANSNER E R. Using graphviz as a library(cgraph version)[EB/OL]. [2015-03-15]. http://www.graphviz.org/doc/libguide/libguide.pdf.
[14] NETMARKETSHARE. Desktop operating system market share[EB/OL]. [2015-03-05]. http://www.netmarketshare.com/operating-system-market-share.aspx.

多维度评价

Viewed

Full text

Abstract

Cited

Shared

Discussed

基于物理内存的注册表逆向重建取证分析算法

A forensic analysis algorithm of registry reverse reconstruction based on physical memory

PDF (PC)

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 5

多维度评价

本文评价

推荐阅读 0

[1]	杨淑棉,王连海,张淑慧,徐淑奖,刘广起. 一种IaaS模式下的实时监控取证方法[J]. 山东大学学报（理学版）, 2017, 52(6): 84-91.
[2]	吴頔,王丽娜,余荣威,章鑫,徐来. 面向云平台安全监控多维数据的离群节点自识别可视化技术[J]. 山东大学学报（理学版）, 2017, 52(6): 56-63.
[3]	张聪, 房鼎益, 王怀军, 祁生德. 一种基于API安全属性隐藏的软件保护方法[J]. 山东大学学报（理学版）, 2015, 50(01): 12-19.
[4]	郜伟1,高红霞2,何静1. 操作系统可信机制功能模型研究[J]. J4, 2012, 47(9): 26-31.
[5]	苏卫1,申龙斌1,2,刘卫波3,单修慧4. 储量信息可视化技术研究与实现[J]. J4, 2010, 45(11): 12-15.