Extraction of Comprehensive Network Connection Information from Windows 7 Memory Image
Comprehensive network connection information not only includes established TCP connection information, but also includes established UDP connection information, established UDPv6 connection information, TCP listening connection information. How to get comprehensive network connections is still one of the challenges in memory analysis and plays an important role in identifying sources of malicious cyber attack. It is difficult to find the comprehensive network connection information storage structures on a memory image file of Windows 7. In this paper, an approach to get comprehensive network connection information from 32-bit windows 7 memory images is given. The method is verified on 32-bit Windows 7 Ultimat and proved more reliable and efficient than that on Windows Vista operating system.
network connections memory analysis computer forensics
Xu Lijuan Wang Lianhai Zhang Shuhui Kong Zhigang
Shandong Provincial Key Laboratory of Computer Network Shandong Computer Science Center Jinan, Shandong Province, China
国际会议
2010 International Conference on Circuit and Signal Processing(2010年电路与信号处理国际会议 ICCSP 2010)
上海
英文
668-671
2010-12-25(万方平台首次上网日期,不代表论文的发表时间)