基于物理内存的注册表逆向重建取证分析算法

注册表结构重建与分析是Windows物理内存取证分析的重点和难点问题之一。首先通过分析注册表文件在硬盘中的逻辑特性,利用Windows系统调试工具分析注册表在内存中的数据结构特征,确立了在物理内存中定位注册表结构的方法;然后通过分析注册表项之间的树形关系,确定了注册表结构重建算法,并利用Graphviz可视化工具,设计出一种树形结构的可视化算法。实验结果表明,该算法能够实现对物理内存中注册表键名、键值信息的重建,基于获取的数据能够完成对系统中病毒的检测,并通过Graphviz可视化算法有效展示病毒感染系统的过程和结果。

A forensic analysis algorithm of registry reverse reconstruction based on physical memory

The reconstruction and analysis of the registry is one of the most important and difficult aspects of the Windows physical memory forensics. By analyzing the logical structure of the registry files in the hard disk and exploring the data structure features of the registry in the physical memory based on the Windows debugging tools, we proposed a clear and definite method to locate the registry physical addresses in the memory. Furthermore, by analyzing the tree-structured relationship between the entries of the registry, we designed a registry reconstruction algorithm and implemented a dendrogram visualization algorithm for the reconstructed registry based on Graphviz. The results of the experiment show that we can reconstruct of the names and values of the registry entries, retrieve the virus in the system based on the information we got, and finally display the process and results of the virus infection via the registry visualization.