计算机工程与应用 ›› 2009, Vol. 45 ›› Issue (18): 74-77.DOI: 10.3778/j.issn.1002-8331.2009.18.024

• 研发、设计、测试 • 上一篇    下一篇


郭 牧,王连海   

  1. 山东省计算中心,济南 250014
  • 收稿日期:2008-07-25 修回日期:2008-09-10 出版日期:2009-06-21 发布日期:2009-06-21
  • 通讯作者: 郭 牧

Windows physical memory analysis method based on KPCR structure

GUO Mu,WANG Lian-hai   

  1. Shandong Computer Science Center,Jinan 250014,China
  • Received:2008-07-25 Revised:2008-09-10 Online:2009-06-21 Published:2009-06-21
  • Contact: GUO Mu

摘要: 介绍了计算机在线取证方式的优势,总结了目前国外在计算机物理内存分析的研究现状及其存在的不足,在此基础上提出了一种新的Windows物理内存分析方法——基于KPCR结构的物理内存分析方法。与传统的物理内存方法相比,这种方法更为可靠,适用范围更广,具有很高的实用价值。

Abstract: This paper describes the function of computer live forensics,and sums up the researches on computer physical memory forensics analysis.Then a new method of Windows memory forensics analysis is proposed,which is much reliable than other methods.This method is very useful in computer live forensics.