一种基于隐藏事件触发机制的内存取证方法

As an important branch of computer forensics, memory forensics can extract and alalyze digital evidence of OS running status, and has become a powerful weapon against cybercrimes. Most of the existed memory forensics approaches obtain memory data completely, and thus contain a large amount of redundant information, which brings inconvenience to subsequent memory analysis. In addition, there is blindness in the selection of forensic time points, especially for malware with hidden characteristics, so it cannot accurately perform real-time forensics when an attack occurs. Because of the volatile and unrecoverable nature of memory, the mismatch between the forensic time point and the attack process will make the forensic content unable to characterize the attack behavior, resulting in invalid forensic data. This study proposes ForenHD, a memory forensics approach based on hidden event trigger mechanism. ForenHD monitors the kernel objects in the target virtual machine in real time by leveraging virtualization technology. It firstly determines hidden objects by analyzing the logical connection and running status of kernel objects, and then uses the discovered hidden objects as the triggering event of memory forensics. Finally ForenHD extracts the code segment information of the hidden object through memory mapping. As a result, real-time and partial memory forensics can be achieved.Experiments on multiple hidden object forensics show ForenHD's feasibility and effectiveness.