基于Windows的易失性内存数据取证分析方法研究
|
摘要
在信息化时代计算机等各种智能信息设备在社会发展中起着越来越重要的作用,随着互联网的进一步发展与普及,信息技术促进了社会生产力的发展,同时也在不知不觉中改变着人们生活与工作方式,然而计算机等智能设备给人类生活带来便捷的同时,也产生了诸多的信息安全问题。国家计算机网络应急技术处理协调中心在2011年发布的一份年度报告中指出随着我国互联网新技术、新应用的快速发展,未来的信息安全形势将更加复杂,在2010年的检测统计数据中木马控制服务器IP总数达479626个,木马受控主机IP总数为10317169个,较2009年大幅增长274.9%。2010年爆发了“飞客”蠕虫病毒,根据国家计算机网络应急技术处理协调中心的2010年12月抽样监测结果,全球互联网已经有超过6000万个主机IP感染“飞客”蠕虫,境内仍然是“重灾区”,有超过900万个主机IP被感染。由此可见当前利用计算机等智能信息化设备和网络实施犯罪的问题日益严重,严重威胁着社会和谐稳定。仅仅通过网络与信息安全相关技术来阻止计算机相关犯罪不能从根本上解决日益严重的信息安全威胁,因此必须充分发挥现代社会的法制化手段来从根本上对人们的行为进行约束规范。计算机取证技术正是在计算机安全与法律相结合的交叉背景下而产生。计算机取证的主要目的是通过在涉案的相关电子设备中收集以数据形式存在的证据,重现犯罪的过程,进而为相关法律诉讼程序提供可靠有效的证据。
传统的在计算机犯罪中所使用的取证流程大多数为关闭涉案计算机后,使用即插即用设备完全复制计算机的磁盘数据,然后对镜像数据进行事后分析。然而,随着计算机硬件水平的不断发展,大容量的内存广泛被使用,同时各种加密与反取证技术的出现,导致在这样传统的取证过程中损失了大量的有价值的信息。计算机内存中的易失性数据可能包含关于犯罪行为的关键性信息,如用来加密信息所使用的密码,系统在犯罪行为发生过程中的状态,使用反取证工具的痕迹以及一些很容易被调查者在分析硬盘数据过程中容易被忽略的至关重要的恶意软件或系统级后门程序等相关信息。所以近年来针对计算机易失性数据的取证分析工作越来越受到司法界和计算机安全专家的重视。
内存取证分析的重点在于分析物理内存中的各种数据从而获得关于犯罪的相关信息,在近年的内存取证分析过程中尽管可以通过对可读文本内容或相应关键字进行搜索便可以从内存镜像中获取许多有用的信息,但是上下文运行的环境和单一证据的相关信息则需要在理解相关数据结构和背景情况的前提下才能更好的联系起来。对于内存取证分析来说,能够准确的识别出内存镜像中的数据并对特定的信息进行关联性分析则至关重要。
本文在研究传统计算机取证相关理论与方法的基础上,总结了内存等类似介质中相关易失性数据的特点,提出了一种面向关联性分析的易失性数据取证分析模型,该种取证模型不再局限于传统的证据分析所采取的面向单一证据对象的分析方式,而是更侧重于分析所获取的每个单一证据之间的内在联系,从法学角度来看这是一种面向证据链构建的取证分析方法。文中不但对易失性数据取证分析模型进行了层次上的划分与描述,同时在关键层次上设计了初步的解决方法。由于数字易失性数据具有以下特点:易失性;瞬时性;阶段稳定性;实体信息多维性;实体相互关联性;阶段内实体状态变化的可预见性,采用该方法分析具有以下三个优点:第一,从用户的单一动作分析扩展到用户的行为分析,可以更好了解用户一系列动作的目的;第二,打破了易失性证据获取中单一时间点的限制,通过对一个时间点所有证据对象的关联性分析,将可以向前或向后预测或判定一个时间段内用户的行为,而不仅仅限于获取证据的那个单一的时刻点;第三,关联性分析面向法学中的构建证据链的司法应用,可以更好应用于实际的法律执行和法庭审判的过程中。
They play increasingly important roles in the development of the information age thatare computers and other intelligent information equipments. With the further developmentand popularization of the Internet, information technology, it not only advancedsocialproductive, but also subtle change people to live and work conveniently. Althoughcomputers and other intelligent devices take human convenient, it cause a lot of informationsecurity issues.
According to annual report released by National Computer Network EmergencyResponse and Coordination Center in2011,the information security situation in the futurewill be more complex. In2010, the detection statistics shows that Trojan control serverIP total of479,626and the total number of10,317,169host IP, which is a substantial increaseof274.9%compared to2009.Fly off worm broke out in2010, according to the NationalComputer Network Emergency Response and Coordination Centre in December2010samplemonitoring results, the global Internet has more than60million host IP have the fly off worminfection. This shows that the current use of computers and networks to commit the crime agrowing problem, a serious threat to social harmony and stability. Only through theinformation security technology to prevent computer-related crime can not fundamentallysolve the increasingly serious information security threats, it is necessary to constraint onpeople's behavior under the legal system specification in modern society.
In traditional computer forensics investigator always close computer involved in crime,and then use plug and play devices to complete copy of the computer's disk data. After thatthey take the mirrored data back laboratory for analysis.
However, with the continuous development of computer hardware level, large-capacitymemory is widely used, and a variety of encryption and anti-forensics techniques appear,resulting in the loss of a lot of valuable information in traditional forensics process. Thevolatile data in the computer's memory may contain critical information on criminal acts,such as used to encrypt the password information, the state of the system in the process ofcriminal behavior, traces of using anti-forensic tools. It can be easily be overlooked in the process of analysis of disk data by investigators that are malicious software or system-levelbackdoor and other related information.
In recent years the computer volatile data forensics analysis gets more and more theattention of the judicial and computer security experts. Memory forensic analysis focuses onobtaining relevant information with crime from the physical memory. Recently years memoryforensics analysis process can search readable text strings or keywords from the memorymirroring but for getting more useful information, the analysis work must be running in thecontext of environment and metadata information with understanding of data structures andbackground linked with the crime. It is critical to the memory forensic analysis that theinvestigators can accurately identify the data and specific correlation in the memorymirroring.
We present a chain of evidence oriented model for analysis of digital forensic data fromvolatile system memory. It allows analysts no longer confine to the traditional analysis of thedigital forensic data taken by single evidence-oriented analysis, but focus on higher abstractlevel about the relevance among independent evidences, from the legal point of view, this isan analysis pattern oriented chain construction. Since digital forensic data from volatilesystem memory possesses distinctive features as follows: volatility; transient; phased stability;complexity; relevance of collected data and phased behavior predictability, adoption of themodel have three advantages. First, we can better understand the purpose of a series ofoperations of user by extension from user single operation analysis to behavior analysis;second, breaking the confinement of only attaining evidence of volatile system memory at thedata collected moment, by analyzing the relevance of all evidence at one moment, we caninfer the user’s behaviors during a period of time. Third, application of relevance analysis inreconstruction of evidence chain can address these issues in law enforcement.
传统的在计算机犯罪中所使用的取证流程大多数为关闭涉案计算机后,使用即插即用设备完全复制计算机的磁盘数据,然后对镜像数据进行事后分析。然而,随着计算机硬件水平的不断发展,大容量的内存广泛被使用,同时各种加密与反取证技术的出现,导致在这样传统的取证过程中损失了大量的有价值的信息。计算机内存中的易失性数据可能包含关于犯罪行为的关键性信息,如用来加密信息所使用的密码,系统在犯罪行为发生过程中的状态,使用反取证工具的痕迹以及一些很容易被调查者在分析硬盘数据过程中容易被忽略的至关重要的恶意软件或系统级后门程序等相关信息。所以近年来针对计算机易失性数据的取证分析工作越来越受到司法界和计算机安全专家的重视。
内存取证分析的重点在于分析物理内存中的各种数据从而获得关于犯罪的相关信息,在近年的内存取证分析过程中尽管可以通过对可读文本内容或相应关键字进行搜索便可以从内存镜像中获取许多有用的信息,但是上下文运行的环境和单一证据的相关信息则需要在理解相关数据结构和背景情况的前提下才能更好的联系起来。对于内存取证分析来说,能够准确的识别出内存镜像中的数据并对特定的信息进行关联性分析则至关重要。
本文在研究传统计算机取证相关理论与方法的基础上,总结了内存等类似介质中相关易失性数据的特点,提出了一种面向关联性分析的易失性数据取证分析模型,该种取证模型不再局限于传统的证据分析所采取的面向单一证据对象的分析方式,而是更侧重于分析所获取的每个单一证据之间的内在联系,从法学角度来看这是一种面向证据链构建的取证分析方法。文中不但对易失性数据取证分析模型进行了层次上的划分与描述,同时在关键层次上设计了初步的解决方法。由于数字易失性数据具有以下特点:易失性;瞬时性;阶段稳定性;实体信息多维性;实体相互关联性;阶段内实体状态变化的可预见性,采用该方法分析具有以下三个优点:第一,从用户的单一动作分析扩展到用户的行为分析,可以更好了解用户一系列动作的目的;第二,打破了易失性证据获取中单一时间点的限制,通过对一个时间点所有证据对象的关联性分析,将可以向前或向后预测或判定一个时间段内用户的行为,而不仅仅限于获取证据的那个单一的时刻点;第三,关联性分析面向法学中的构建证据链的司法应用,可以更好应用于实际的法律执行和法庭审判的过程中。
They play increasingly important roles in the development of the information age thatare computers and other intelligent information equipments. With the further developmentand popularization of the Internet, information technology, it not only advancedsocialproductive, but also subtle change people to live and work conveniently. Althoughcomputers and other intelligent devices take human convenient, it cause a lot of informationsecurity issues.
According to annual report released by National Computer Network EmergencyResponse and Coordination Center in2011,the information security situation in the futurewill be more complex. In2010, the detection statistics shows that Trojan control serverIP total of479,626and the total number of10,317,169host IP, which is a substantial increaseof274.9%compared to2009.Fly off worm broke out in2010, according to the NationalComputer Network Emergency Response and Coordination Centre in December2010samplemonitoring results, the global Internet has more than60million host IP have the fly off worminfection. This shows that the current use of computers and networks to commit the crime agrowing problem, a serious threat to social harmony and stability. Only through theinformation security technology to prevent computer-related crime can not fundamentallysolve the increasingly serious information security threats, it is necessary to constraint onpeople's behavior under the legal system specification in modern society.
In traditional computer forensics investigator always close computer involved in crime,and then use plug and play devices to complete copy of the computer's disk data. After thatthey take the mirrored data back laboratory for analysis.
However, with the continuous development of computer hardware level, large-capacitymemory is widely used, and a variety of encryption and anti-forensics techniques appear,resulting in the loss of a lot of valuable information in traditional forensics process. Thevolatile data in the computer's memory may contain critical information on criminal acts,such as used to encrypt the password information, the state of the system in the process ofcriminal behavior, traces of using anti-forensic tools. It can be easily be overlooked in the process of analysis of disk data by investigators that are malicious software or system-levelbackdoor and other related information.
In recent years the computer volatile data forensics analysis gets more and more theattention of the judicial and computer security experts. Memory forensic analysis focuses onobtaining relevant information with crime from the physical memory. Recently years memoryforensics analysis process can search readable text strings or keywords from the memorymirroring but for getting more useful information, the analysis work must be running in thecontext of environment and metadata information with understanding of data structures andbackground linked with the crime. It is critical to the memory forensic analysis that theinvestigators can accurately identify the data and specific correlation in the memorymirroring.
We present a chain of evidence oriented model for analysis of digital forensic data fromvolatile system memory. It allows analysts no longer confine to the traditional analysis of thedigital forensic data taken by single evidence-oriented analysis, but focus on higher abstractlevel about the relevance among independent evidences, from the legal point of view, this isan analysis pattern oriented chain construction. Since digital forensic data from volatilesystem memory possesses distinctive features as follows: volatility; transient; phased stability;complexity; relevance of collected data and phased behavior predictability, adoption of themodel have three advantages. First, we can better understand the purpose of a series ofoperations of user by extension from user single operation analysis to behavior analysis;second, breaking the confinement of only attaining evidence of volatile system memory at thedata collected moment, by analyzing the relevance of all evidence at one moment, we caninfer the user’s behaviors during a period of time. Third, application of relevance analysis inreconstruction of evidence chain can address these issues in law enforcement.
引文
[1] The New York Times[N]. New York Times Publication.1987,2(8):57.
[2] Commonwealth of Virginia Joint Commission on Technology and Science[R/OL].
[2012-1-15]. Regional computer forensic laboratory (rcfl) national program office (npo).http://jcots.state.va.us/2005%20Content/pdf/FBI-RCFL.pdf.
[3] Digital Forensics Association. Formal education: college education in digitalforensics[R/OL].[2010-09-01]. http://www. digitalforensicsassociation.org/formal-education/.
[4] Casey Eoghan, Stellatos Gerasimos J. The impact of full disk encryption on digitalforensics[B]. SIGOPS Operation System Rev,2008:42(3).
[5] Best Practices for seizing electronic evidence[R]. U.S. Secret Service,2006.
[6] Dfrws2005forensics challenge[R/OL].[2005-5-1]. http://www.dfrws.org/2005/challenge/index.shtml.
[7]丁丽萍,王永吉.计算机取证的相关法律技术问题研究[M].软件学报,2005,16(2):0260-0276.
[8]王玲,钱华林.计算机取证技术及其发展趋势[M].软件学报,2003,14(9):1635-1645.
[9]杨莉莉,杨永川.抽象数字事件重构模型的设计[M].计算机科学,2008,35(16):227-230.
[10]周洪伟,韦大伟,郭渊博.一种数字取证完整性方案[M].计算机应用研究,2007,24(12):149-152.
[11]郑捷文,许榕,张晋.一种抽象的数字取证模型[M].计算机工程,2006,32(1):163-166.
[12]Bruno W. P. Hoelz, Célia Ghedini Ralha. Artificial Intelligence Applied to ComputerForensics[C]. SAC’09.Honolulu, Hawaii, U.S.A,2009.
[13]Kaplan, B. Ram is key extracting disk encryption keys from volatile memory[R].Master’s thesis, Carnegie Mellon University,2007.
[14]Schatz B. Bodysnatcher: towards reliable volatile memory acquisition by software[M].Digital Investigation,2007,4(1):26-34.
[15]Carrier BD, Grand J. A hardware-based memory acquisition procedure for digitalinvestigations[M]. Digital Investigation,2004,1(1):50-60.
[16]Libster E, Kornblum JD. A proposal for an integrated memory acquisition mechanism[M].ACM SIGOPS Operating Systems Review,2008,42(3):14-20.
[17]Kornblum J. Recovering executables with windows memory analysis[R/OL].
[2011-11-15]. http://www.jessekornblum.com/presentations/dodcc07.pdf.
[18]Vidstrom A. Memory dumping over firewire[R/OL].[2011-6-17]. http://ntsecurity.nu/onmymind/2006/2006-09-02.html.
[19]Microsoft Corporation. Kb254649-overview of memory dump file options for windows vista, windows server2008r2, windows server2008, windows server2003,windows xp, and windows2000[EB/OL].[2011-5-5]. http://support.microsoft.com/?scid kb3Benus3B254649&x13&y5.
[20]Schuster A. Dmp file structure[R/OL].[2012-2-26]. http://computer.forensikblog.de/en/2006/03/dmp_file_structure.html.
[21]Schuster A. Pool allocations as an information source in windows memory forensics[M].In: Proceedings of IT-incident management&IT-forensics,2006,6:15-22.
[22]Microsoft Corporation. Kb244139-windows feature lets you generate a memory dump file by using the keyboard[EB/OL].[2010-10-15]. http://support.microsoft.com/?20scid kb3Ben-us3B244139&x5&y9.
[23]Microsoft Corporation. Kb971284-a hotfix is available to enable crashonctrlscrollsupport for a usb keyboard on a computer that is running windows vista sp1orwindows server2008. Adding support for USB keyboards in Windows Vista andServer2008to create a crash dump file[EB/OL].[2010-10-15]. http://support.microsoft.com/?scid kb3Ben-us3B244139&x5&y9;2010f.
[24]Garner GM. Forensic acquisition utilities[R/OL].[2009-11-5]. http://gmgsystemsinc.com/fau/.
[25]Ruff N, Suiche M. Enter sandman[C]. In: Proceedings of the5th annual PacSec appliedsecurity conference, NewYork,2007.
[26]Russinovich ME. Tcpview[R/OL].[2010-10-15]. http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx.
[27]Intel Corroboration. Intel64and ia-32architectures software developer’s manual[R/OL].
[2011-5-7]. http://www.intel.com/assets/pdf/manual/325384.pdf.
[28]李宵声.计算机取证中增强电子证据时态性方案[M].通信技术,2008,41(04):127-130.
[29]郭牧,王连海.基于KPCR结构的Windows物理内存分析方法[M].计算机工程与应用,2009,45(18):74-79.
[30]王笑强.数据恢复技术成为电子取证的核心技术[M].计算机安全,2009,12:75-76.
[31]Cal Waits, Akinyele, Nolan, Larry Rogers. Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis[R]. TECHNICAL NOTE CMU/SEI-2008-TN-017,2011.
[32]Iain Sutherland, Jon Evans, And Theodore Tryfonas. Acquiring Volatile Operating SystemData Tools and Techniques[M]. ACM SIGOPS Operating Systems Review,2008,42:45-56.
[33]Simson L. Garfinkel. Digital forensics research: The next10years[M]. Digitalinvestigation,2010,7: S64-S73.
[34]苏璞睿,杨轶.基于可执行文件静态分析的入侵检测模型[M].计算机学报,2006,29(9):1572-1579.
[35]Richard M. Stevens, Eoghan Casey. Extracting Windows command line details fromphysical memory[M]. Digital investigation,2010,7: S57-S63.
[36]James, Peterson. Windows operating systems agnostic memory analysis[M]. Digitalinvestigation,2010,7: S48-S56.
[37]Henderson, Eliassi-Rad, Faloutsos, Akoglu, Lei Li, Koji. Metric Forensics: A Multi-LevelApproach for Mining Volatile Graphs[C]. KDD’10, Washington, DC, USA,2010,7:25–28.
[38]Brian Carrier. Defining Digital Forensic Examination and Analysis Tools UsingAbstraction Layers[J]. International Journal of Digital Evidence,2003, Vol.1, Issue4.
[39]Kornblum JD. Exploiting the rootkit paradox with windows memory analysis[M].International Journal of Digital Evidence,2006,5(1):1-5.
[40]James M.Aquilina, Eoghan, Cameron, Curtis Rose. Malware Forensics Investigation andAnalyzing Malicious Code[B].北京:科学出版社,2005.
[2] Commonwealth of Virginia Joint Commission on Technology and Science[R/OL].
[2012-1-15]. Regional computer forensic laboratory (rcfl) national program office (npo).http://jcots.state.va.us/2005%20Content/pdf/FBI-RCFL.pdf.
[3] Digital Forensics Association. Formal education: college education in digitalforensics[R/OL].[2010-09-01]. http://www. digitalforensicsassociation.org/formal-education/.
[4] Casey Eoghan, Stellatos Gerasimos J. The impact of full disk encryption on digitalforensics[B]. SIGOPS Operation System Rev,2008:42(3).
[5] Best Practices for seizing electronic evidence[R]. U.S. Secret Service,2006.
[6] Dfrws2005forensics challenge[R/OL].[2005-5-1]. http://www.dfrws.org/2005/challenge/index.shtml.
[7]丁丽萍,王永吉.计算机取证的相关法律技术问题研究[M].软件学报,2005,16(2):0260-0276.
[8]王玲,钱华林.计算机取证技术及其发展趋势[M].软件学报,2003,14(9):1635-1645.
[9]杨莉莉,杨永川.抽象数字事件重构模型的设计[M].计算机科学,2008,35(16):227-230.
[10]周洪伟,韦大伟,郭渊博.一种数字取证完整性方案[M].计算机应用研究,2007,24(12):149-152.
[11]郑捷文,许榕,张晋.一种抽象的数字取证模型[M].计算机工程,2006,32(1):163-166.
[12]Bruno W. P. Hoelz, Célia Ghedini Ralha. Artificial Intelligence Applied to ComputerForensics[C]. SAC’09.Honolulu, Hawaii, U.S.A,2009.
[13]Kaplan, B. Ram is key extracting disk encryption keys from volatile memory[R].Master’s thesis, Carnegie Mellon University,2007.
[14]Schatz B. Bodysnatcher: towards reliable volatile memory acquisition by software[M].Digital Investigation,2007,4(1):26-34.
[15]Carrier BD, Grand J. A hardware-based memory acquisition procedure for digitalinvestigations[M]. Digital Investigation,2004,1(1):50-60.
[16]Libster E, Kornblum JD. A proposal for an integrated memory acquisition mechanism[M].ACM SIGOPS Operating Systems Review,2008,42(3):14-20.
[17]Kornblum J. Recovering executables with windows memory analysis[R/OL].
[2011-11-15]. http://www.jessekornblum.com/presentations/dodcc07.pdf.
[18]Vidstrom A. Memory dumping over firewire[R/OL].[2011-6-17]. http://ntsecurity.nu/onmymind/2006/2006-09-02.html.
[19]Microsoft Corporation. Kb254649-overview of memory dump file options for windows vista, windows server2008r2, windows server2008, windows server2003,windows xp, and windows2000[EB/OL].[2011-5-5]. http://support.microsoft.com/?scid kb3Benus3B254649&x13&y5.
[20]Schuster A. Dmp file structure[R/OL].[2012-2-26]. http://computer.forensikblog.de/en/2006/03/dmp_file_structure.html.
[21]Schuster A. Pool allocations as an information source in windows memory forensics[M].In: Proceedings of IT-incident management&IT-forensics,2006,6:15-22.
[22]Microsoft Corporation. Kb244139-windows feature lets you generate a memory dump file by using the keyboard[EB/OL].[2010-10-15]. http://support.microsoft.com/?20scid kb3Ben-us3B244139&x5&y9.
[23]Microsoft Corporation. Kb971284-a hotfix is available to enable crashonctrlscrollsupport for a usb keyboard on a computer that is running windows vista sp1orwindows server2008. Adding support for USB keyboards in Windows Vista andServer2008to create a crash dump file[EB/OL].[2010-10-15]. http://support.microsoft.com/?scid kb3Ben-us3B244139&x5&y9;2010f.
[24]Garner GM. Forensic acquisition utilities[R/OL].[2009-11-5]. http://gmgsystemsinc.com/fau/.
[25]Ruff N, Suiche M. Enter sandman[C]. In: Proceedings of the5th annual PacSec appliedsecurity conference, NewYork,2007.
[26]Russinovich ME. Tcpview[R/OL].[2010-10-15]. http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx.
[27]Intel Corroboration. Intel64and ia-32architectures software developer’s manual[R/OL].
[2011-5-7]. http://www.intel.com/assets/pdf/manual/325384.pdf.
[28]李宵声.计算机取证中增强电子证据时态性方案[M].通信技术,2008,41(04):127-130.
[29]郭牧,王连海.基于KPCR结构的Windows物理内存分析方法[M].计算机工程与应用,2009,45(18):74-79.
[30]王笑强.数据恢复技术成为电子取证的核心技术[M].计算机安全,2009,12:75-76.
[31]Cal Waits, Akinyele, Nolan, Larry Rogers. Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis[R]. TECHNICAL NOTE CMU/SEI-2008-TN-017,2011.
[32]Iain Sutherland, Jon Evans, And Theodore Tryfonas. Acquiring Volatile Operating SystemData Tools and Techniques[M]. ACM SIGOPS Operating Systems Review,2008,42:45-56.
[33]Simson L. Garfinkel. Digital forensics research: The next10years[M]. Digitalinvestigation,2010,7: S64-S73.
[34]苏璞睿,杨轶.基于可执行文件静态分析的入侵检测模型[M].计算机学报,2006,29(9):1572-1579.
[35]Richard M. Stevens, Eoghan Casey. Extracting Windows command line details fromphysical memory[M]. Digital investigation,2010,7: S57-S63.
[36]James, Peterson. Windows operating systems agnostic memory analysis[M]. Digitalinvestigation,2010,7: S48-S56.
[37]Henderson, Eliassi-Rad, Faloutsos, Akoglu, Lei Li, Koji. Metric Forensics: A Multi-LevelApproach for Mining Volatile Graphs[C]. KDD’10, Washington, DC, USA,2010,7:25–28.
[38]Brian Carrier. Defining Digital Forensic Examination and Analysis Tools UsingAbstraction Layers[J]. International Journal of Digital Evidence,2003, Vol.1, Issue4.
[39]Kornblum JD. Exploiting the rootkit paradox with windows memory analysis[M].International Journal of Digital Evidence,2006,5(1):1-5.
[40]James M.Aquilina, Eoghan, Cameron, Curtis Rose. Malware Forensics Investigation andAnalyzing Malicious Code[B].北京:科学出版社,2005.