Windows系统环境下基于内存分析的木马病毒取证  被引量：2

作　　者：郑文庚 李凌崴 廖广军[2] ZHENG Wengeng;LI Lingwei;LIAO Guangjun(Huadu Branch of Guangzhou Public Security Bureau,Guangzhou 510800,China;Department of Criminal Science and Technology,Guangdong Police College,Guangzhou 510440,China)

机构地区：[1]广州市公安局花都区分局,广州510800 [2]广东警官学院,广州510440

出　　处：《刑事技术》2020年第6期572-576,共5页Forensic Science and Technology

基　　金：广东省普通高校特色创新类项目(自然科学)(2017KTSCX132)。

摘　　要：木马病毒是网络犯罪的重要载体,动态内存取证分析研究能够确定木马病毒在计算机的位置、木马运行时的DLL、木马对注册表和系统的改变情况,从而实现木马病毒攻击的证据固定。笔者在Windows系统虚拟环境下开展仿真实验,利用木马病毒对目标计算机进行模拟攻击,使用占用内存最小的DumpIt取证软件对内存在线提取数据,并使用volatility分析内存中的注册表、进程等,对木马攻击行为进行分析研究。实验结果表明,通过内存数据分析能够获取木马病毒进程位置、通信端口、功能等信息。本文还将内存分析数据与注册表文件进行对比分析,进一步实现了木马病毒攻击计算机的线索发现或证据固定。Trojan,one major vector with cybercrime,can be determined of its location in the assaulted computer,DLL of its running time,and the resulted alterations to the registry and/or the operation system if the forensic analysis can be gone into the involving dynamic random-access memory.Consequently,the evidence would be fi xed about such a virus attack.This paper was to carry out the simulating experiments under virtual Windows-operating environment.Through one Trojan virus to assault a computer being operated with Windows,the DumpIt forensics software,selected as it takes up smallest memory,was to extract the instantaneous online memory data,along with the volatility(also one electronic forensic tool)to analyze the registry and process in the memory,so as to obtain the dynamic course of the virus assault.The experimental results showed that such an analysis of instant data from internal memory was able to acquire the information of virus attacking process and location,the relating communication ports and the affected functions.Moreover,the comparative analysis was carried out between the memory data and registry files,therefore having the clues discovered and the evidence fixed on Trojan virus assaulting computer.

关 键 词：网络犯罪 木马取证 内存分析 VOLATILITY 注册表 

分 类 号：DF793.2[政治法律—诉讼法学]