Patent · US Active

Physical memory forensics system and method

US9268936B2 · kind B2 · utility

180Cited by

2References

18Claims

0Family size

Assignee

Mandiant, Inc. · US

Inventor

James R. Butler · San Jose, US

Key dates

Filing date	Jul 27, 2012
Grant date	Feb 23, 2016
Priority date	—
Expiry date	Feb 17, 2033

Classification

Technology area (CPC G)Physics
CPC primaryG06F12/10
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

The method of the present inventive concept is configured to utilize Operating System data structures related to memory-mapped binaries to reconstruct processes. These structures provide a system configured to facilitate the acquisition of data that traditional memory analysis tools fail to identify, including by providing a system configured to traverse a virtual address descriptor, determine a pointer to a control area, traverse a PPTE array, copy binary data identified in the PPTE array, generate markers to determine whether the binary data is compromised, and utilize the binary data to reconstruct a process.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.