CN103399830A - Equipment and method for reading computer physical memory through PCI Express bus - Google Patents
Equipment and method for reading computer physical memory through PCI Express bus Download PDFInfo
- Publication number
- CN103399830A CN103399830A CN2013103457067A CN201310345706A CN103399830A CN 103399830 A CN103399830 A CN 103399830A CN 2013103457067 A CN2013103457067 A CN 2013103457067A CN 201310345706 A CN201310345706 A CN 201310345706A CN 103399830 A CN103399830 A CN 103399830A
- Authority
- CN
- China
- Prior art keywords
- pci
- data
- controller
- equipment
- internal memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides equipment for reading computer physical memory through a PCI Express bus. The equipment comprises an USB controller and a PCI-E bridging controller, wherein the USB controller is connected with the PCI-E bridging controller through a CPLD, and the USB controller and the PCI-E bridging controller are connected with an evidence obtaining computer and a target computer respectively. A memory obtaining method comprises the steps that a), the equipment is connected; b), configuration of internal memory reading equipment is PCI-to-PCI; c), a PCI bus number and equipment number are allocated; d), parameters are sent; e), the PCI-E bridging controller is configured; f), a bypass UMA address field is configured; g), a DMA mode is adopted to transmit data; h), internal memory data are analyzed. The equipment reads internal memory information of the target computer under a password protection state (such as screen protection and lock-out states), has 64 bit address space addressing capability, can read physical memory data more than 4G, improves flexibility, completeness and credibility of on-line evidence obtaining, and has higher use value.
Description
Technical field
The present invention relates to a kind of Apparatus and method for that reads the computer physics internal memory, in particular, relate in particular to a kind of Apparatus and method for that reads the computer physics internal memory by PCI Express bus.This method will be applied to the computer forensics field, be mainly used in the investigation and evidence collection of information security events and all kinds of computer crime cases.
Background technology
The information of status while existing some energy descriptive system to be attacked in the computer physics internal memory, as progress information, thread information, the fileinfo of opening, network connection information etc.These information disappear along with the shutdown of computer system.Therefore, exist the computer forensics aspect particularly important to obtaining in computer physics.For advancing the development of physics memory analysis technology, DFRWS(Digital Forensic Research Workshop) released the activity that is called " Forensics Challenge " in 2005, movable theme is exactly the physical memory analysis.From then on, for the analysis of physical memory with obtain the study hotspot that becomes computer forensics.
, in the situation that computing machine does not shut down, obtain the following several method of having of its physical memory:
A. hardware based method;
A-1. use Tribble equipment, the hardware expanding card that Brian Can'ier and Joe Grand have proposed a kind of use by name " Tribble " obtains the method for system physical internal memory, can the physical memory of system be copied in external storage equipment with Tribble.The author has built the Tribble equipment of-principle (proof-of-concept), has designed a PCI Mezzanine Card that can be inserted into system bus.Use the advantage of this class hardware device of Tribble to be easy to operate, easy to understand.Disadvantage is that hardware must be installed in system in advance, so Tribble equipment can't be widely used.A-2. use FireWire devices, FireWire (live wire) is a kind of High Speed I of coming as base growth take the technology of former Apple exploitation/O technology, and it can connect peripherals and computing machine.This technology formally is received to IEEE 1394 industrial standards (FireWire 400) in nineteen ninety-five.Utilize the property of FireWire devices, use corresponding software, the investigator can obtain the physical memory mirror image of system.FireWire devices uses direct memory access (DMA) technology, can not pass through the direct access system internal memory of CPU.The advantage of using FireWire devices is all integrated FireWire/IEEE1394 interface on the mainboard of present many computer systems, can be easily direct access system internal memory; To be that the live wire addressing space is maximum support to 32 shortcoming, therefore by fire-wire interfaces, can't obtain information in the above internal memory of 4G.B. based on the method for software;
B-1. use Microsoft collapse dump technology Windows NT, 2000 and XP all provide a kind of built-in " collapse dump " function to obtain the physical memory mirror image of system.When generating the collapse dump, system can be frozen, and the data in physical memory (adding the header information of about 4KB) can be written into disk, so just intactly preserved system state, and guarantee that system state can not revised artificially from starting to collapse dump.B-2. using virtual machine technique VMWare is a popular software virtual machine, uses it can create many virtual machines on a computer hardware.When operation VMWare session, can hang up (suspend) this session, namely temporary transient " freezing " system.When a VMWare session was suspended, VMWare can be stored in system " physical memory " mirror image in the file of an expansion .vmem by name with the DD form.Making in this way advantage is the unusual simple and fast of operation of hanging up a VMWare session, and minimum on the impact of Installed System Memory; Shortcoming is generally run directly in physical computer by the infringement system, seldom operates under virtual machine.B-3. use special software;
(1) DD, in unix system, data dump instrument DD's is of many uses, can xcopy, also can make the mirror image of DISK to Image.GMG System company has developed the modified version DD instrument that can be used for the Windows system.\ Device \ PhysicalMemory object, this instrument can obtain the physical memory of Windows system in access under user model.
(2) KntDD, do not support the systems such as Windows XP SP2, Windows Vista and Windows Server 2003 SP1 due to DD, therefore, GMG System company has developed again a new tool that is called KntDD and has been used for generating the physics memory mirror.
(3) Nigilant32, Nigilant32 are evidence obtaining instruments by Agile Risk Management exploitation, have the hard-disk content browsed, obtain the physical memory mirror image, obtain the current process of moving and the functions such as " snapshots " of the port opened.(4) Helix, Helix are a powerful Computer Forensic Tools that can directly be started by CDROM, and be starting in 2003, the present world-renowned computer forensics SANS of mechanism with Helix as the evidence obtaining training tool.Helix is actually a Knoppix who remodified, and (Knoppix is a Linux release version, has wherein increased the content of relevant emergency response and computer forensics.
The software that in addition, can obtain Mac OS system X memory mirror file has DD, OSXPmem, MacMemoryReader etc.Although it is more complete to use the method for software to obtain internal memory, but because software need to move in target computer system, therefore make and obtain in this way the physical memory mirror image and can introduce extra code, increased the possibility that the content of obtaining is tampered, covers; Present hardware acquisition methods is subject to again the restriction of memory size 4G, and under 64 bit manipulation systems, internal memory is more than or equal to the computing machine of 4G, and some significant datas that are mapped to the above memory address space of 4G can't obtain.
Summary of the invention
The present invention, in order to overcome the shortcoming of above-mentioned technical matters, provides a kind of Apparatus and method for that reads the computer physics internal memory by PCI Express bus.
The equipment that reads the computer physics internal memory by PCI Express bus of the present invention, comprise USB controller, PCI-E bridge controller, supply module and clock module, supply module, clock module provide respectively power supply and clock pulse signal to USB controller and PCI-E bridge controller; Its special feature is: described USB controller is connected by the CPLD logical device with the PCI-E bridge controller, be provided with the USB interface that is connected with the computing machine of collecting evidence on the USB controller, be provided with the PCI Express interface that is connected with object computer on the PCI-E bridge controller; The CPLD logical device is for the data transmission that realizes between USB controller and PCI-E bridge controller.
The effect that USB controller, PCI-E bridge controller all have bidirectional data transfers, the USB interface on the USB controller is connected with the evidence obtaining computing machine, and the PCI Express interface on the PCI-E bridge controller is connected with object computer.The CPLD logical device is used for realizing the communication between USB controller and PCI-E controller, the CPLD logical device can determine USB controller and PCI-E bridge controller master slave mode, carry out the conversion of sequential and highway width and internal storage data transferred to the evidence obtaining computing machine under the DMA pattern.
The equipment that reads the computer physics internal memory by PCI Express bus of the present invention, comprise the reseting module that USB controller and PCI-E bridge controller is carried out reset operation, and described USB controller is connected with program storage.Reset circuit is realized the reset operation to USB controller and PCI-E bridge controller, and program storage can adopt EEPROM, is used for the storing firmware program.
The equipment that reads the computer physics internal memory by PCI Express bus of the present invention, be integrated with bus logic module, configuration interface modular converter and data transmission interface modular converter in described CPLD logical device, the bus logic module is used for determining the master slave mode of USB controller and PCI-E bridge controller, and configuration interface modular converter, data transmission interface modular converter are used for conversion timing sequence and highway width.
The equipment that reads the computer physics internal memory by PCI Express bus of the present invention, described USB controller adopts the chip of CY7C68013A model, and the PCI-E bridge controller adopts the chip of PEX8311 model, and the model of described CPLD logical device is EPM240; 16 bit data ends of USB controller are connected with the low 16 bit data ends of PCI-E bridge controller, and the high 16 bit data ends of PCI-E bridge controller are connected with 16 bit data ends of USB controller through the data transmission interface modular converter; The control signal of USB controller, PCI-E bridge controller all is connected with the configuration interface modular converter, and the bus arbitration signal of USB controller, PCI-E bridge controller all is connected with the bus logic module.PEX8311 is the bridging chip that the PCI Express of PLX company turns local bus.The CY7C68013A chip not only contains 8051 microcontrollers, but also is provided with USB interface, has namely realized the control to whole equipment, has also realized being connected with the port of evidence obtaining computing machine.
The equipment that reads the computer physics internal memory by PCI Express bus of the present invention, the input end of described supply module is connected with the upper power lead of USB interface.
The internal memory acquisition methods that reads the equipment of computer physics internal memory by PCI Express bus of the present invention, its special feature is, comprise the following steps: a). equipment connection, the evidence obtaining computing machine is connected with the USB interface of internal memory fetch equipment, and object computer is connected with the PCI Express interface of internal memory fetch equipment; B). the equipment configuration is configured to the internal memory fetch equipment Memory Controller Hub that is connected with object computer with the PCI-to-PCI bridge, the information of avoiding on object computer occurring searching driver; C). distribute pci bus number, device number, object computer is that the internal memory fetch equipment distributes pci bus number and PCI device number, and object computer loads the driver of internal memory fetch equipment automatically; D). parameter sends, the evidence obtaining computing machine with reading order, write order, memory address, internal memory length information as parameter, be sent in the USB controller by USB interface; E). PCI allocation-E bridge controller, main frame on take the USB controller as bus, PCI-E bridge controller are slave, the parameter that the evidence obtaining computing machine is sent is sent to the PCI-E bridge controller, and the PCI-E bridge controller is according to the packet of parametric configuration read-write physical memory; F). configuration gets around the UMA address field, gets around the Upper Memory Area address field in the object computer internal memory, obtains the internal storage data of object computer; G). adopt DMA mode transfer data, the PCI-E bridge controller obtains the internal storage data of object computer by PCI Express bus, main frame on take the PCI-E bridge controller as bus, USB controller are slave, by the USB controller, internal storage data are sent to the evidence obtaining computing machine under the DMA pattern; H). the internal storage data analysis, the evidence obtaining computing machine carries out verification and analysis to the internal storage data that obtains.
The internal memory acquisition methods that reads the equipment of computer physics internal memory by PCI Express bus of the present invention, described USB controller, PCI-E bridge controller adopt respectively CY7C68013A chip and PEX8311 chip, step e) in, the parameter sent of evidence obtaining computing machine is sent to the PCI-E bridge controller comprises the following steps:
Comprise the following steps to PCI-E bridge controller data writing:
E-1) gradation of .32bit data writes, and at first CY7C68013A writes the high 16bit of 32bit data in the inside working storage of CPLD logical device (7), and then the low 16bit of 32bit data is write the CPLD logical device; E-2) combination of .32bit data, the CPLD logical device is combined high 16bit data and low 16bit data that gradation receives, forms complete 32bit data; E-3). writing of 32bit data, the CPLD logic device writes complete 32bit data in the PEX8311 chip;
Comprise following steps from PCI-E bridge controller reading out data:
E-4) gradation of .32bit data is read, and the high 16bit of 32bit data is deposited in the working storage of CPLD logical device, and will hang down the 16bit data, directly reads back in CY7C68013A; E-5) combination of .32bit data, CY7C68013A reads temporary high 16bit data from the CPLD logical device, and low 16bit bit data, high 16bit bit data are combined as complete 32bit data.
The internal memory acquisition methods that reads the equipment of computer physics internal memory by PCI Express bus of the present invention, the internal storage data that the evidence obtaining computing machine obtains is binary file, step h) described method of calibration is the Hash verification.
The invention has the beneficial effects as follows: the present invention, by the PCI Express interface that is connected with object computer and the USB interface that is connected with the evidence obtaining computing machine are set, has plug-and-play feature.Directly read data in calculator memory by PCI Express interface; realized object computer reading at the lower memory information of cryptoguard state (as screen protection, lock-out state); do not need operating software on computers, to the object computer running status, change very little.Owing to having adopted PCI Express interface bus, make this equipment have 64 bit address space access abilities, can read the above physical memory data of 4G, improve the dirigibility of online evidence obtaining and strengthened integrality, the credibility of online evidence obtaining, have very high use value.
System and a method according to the invention, by the support of computing machine to PCI-E equipment DMA function, makes it directly to the data in calculator memory, read analysis, has expanded the useful information amount, has improved the efficiency of evidence obtaining and emergency response.Secondly, with respect in computer-internal, expansion card being installed in advance, native system only needs that it is expanded draw-in groove by PCI-E and is connected to computing machine to be collected evidence, and can read and write its internal storage data, need not general computer user or the evidence obtaining personnel install any software and hardware in advance.Especially, the computing machine for the offender uses, can not have preassembled expansion card, and therefore, usable range is expanded relatively.Moreover, utilize PCI-E bus peripheral hardware plug and play, hot swappable characteristics, collect evidence and can guarantee immediately obtaining of data with native system, real-time.Then, utilize PCI-E equipment can send the characteristics of 64 bit address requests, with respect to 1394 equipment, native system can the access memory address in the above data of 4G, the internal memory that obtains has more integrality.Further, with respect to by software, obtaining internal memory, native system provides better to be protected field data, the driver that the loading of system only needs a small amount of internal memory operation system to carry, and the operation of system is committed memory not fully.Native system can obtain the memory information of the computer system (Windows system and Mac OS system X) under the cryptoguard state that is in (as screen protection, lock-out state) simultaneously.The native system evidence collecting method is simple, only needs the installation of simple plug and play hardware components, the field technician is required low, does not need to possess the computer literacy of specialty, and is easy to utilize.
Description of drawings
Fig. 1 is the schematic diagram that reads the computer physics memory device of the present invention;
The schematic diagram that Fig. 2 is connected with the internal memory fetch equipment for evidence obtaining computing machine, object computer;
Fig. 3 utilizes internal memory fetch equipment of the present invention to obtain the process flow diagram of internal storage data;
Fig. 4 is PCI Express TLP packet package head format;
Fig. 5 is the PCI Express connecting interface that reads the computer physics memory device of the present invention;
Fig. 6, Fig. 7 are the connection line figure of PEX8311 chip and PCI Express interface;
Fig. 8 is the connected mode of CY7C68013A chip and peripheral circuit.
In figure: 1 USB interface, 2 PCI Express interfaces, 3 USB controllers, 4 PCI-E bridge controllers, 5 supply modules, 6 program storages, 7 CPLD logical devices, 8 clock modules, 9 reseting modules, 10 bus logic modules, 11 configuration interface modular converters, 12 data transmission interface modular converters, 13 internal memory fetch equipments, 14 evidence obtaining computing machines, 15 object computers.
Embodiment
The invention will be further described below in conjunction with accompanying drawing and embodiment.
As shown in Figure 1, provided the schematic diagram that reads the equipment of computer physics internal memory by PCI Express bus of the present invention, it comprises USB controller 3, PCI-E bridge controller 4, usb 1, PCI Express interface 2, CPLD logical device 7, power module 5, program storage 6, clock module 8, reseting module 9; Shown usb 1, PCI Express interface 2 are connected with USB controller 3, PCI-E bridge controller 4 respectively, usb 1, PCI Express interface 2 are connected with object computer with the evidence obtaining computing machine respectively, are respectively used to the internal storage data of receiving target computing machine transmission and to the evidence obtaining computing machine, send internal storage data.
Shown supply module 5 provides burning voltage for USB controller 3 and PCI-E bridge controller 4, supply module 5 obtains the DC voltage of 5V from the power lead on usb 1, be translated into the laggard line output of operating voltage (3.3V) of USB controller 3 and PCI-E bridge controller 4.Clock module 8 is used for providing work required clock pulse signal to USB controller 3 and PCI-E bridge controller 4.Program storage 6 can adopt the serial EEPROM chip, is used for depositing the firmware program of this equipment, by the I2C bus, with USB controller 3, is connected.Reseting module 9 is reset circuits of USB controller 3 and PCI-E bridge controller 4, realizes the reset response in equipment running process.
Shown USB controller 3 is connected by CPLD logical device 7 with PCI-E bridge controller 4, to realize the data transmission between USB controller 3 and PCI-E bridge controller.USB controller 3 adopts the CY7C68013A chip, and CY7C68013A not only is built-in with 8051 microcontrollers, but also is provided with USB interface; PCI-E bridge controller 4 adopts the PEX8311 chip, and the PEX8311 chip turns the conventional chip of local bus for PCI Express interface commonly used.CPLD logical device 7 consists of bus logic module 10, configuration interface modular converter 11 and data transmission interface modular converter 12, and CPLD logical device 7 can be selected the EPM240 chip.The 16 bit data ends of CY7C68013A directly are connected with the low 16 bit data ends of the 32 bit data ends of PEX8311, and the high 16 bit data ends of PEX8311 are connected with the 16 bit data ends of CY7C68013A through data transmission interface modular converter 12.
Configuration interface modular converter 11 is realized interface sequence conversion and highway width conversion at configuration phase; The GPIF interface bit wide of CY7C68013A can only be configured to 8bit or 16bit, and PEX8311 can only be the 32bit width under holotype, both do not mate, must use the holotype communication of 32bit width to the register configuration of PEX8311, therefore need to use configuration interface modular converter 11 to do the highway width conversion here.Need to be decomposed into each time the read-write of twice 16bit to the access of PEX8311.Concrete steps are as follows: when writing the PEX8311 register, at first the high 16bit of 32bit data is write the inside working storage of CPLD logical device 7, then when writing low 16bit, with the high 16bit in CPLD logical device 7, be combined into complete 32bit data one-time write PEX8311 inside.Read the PEX8311 register similarly, at first the read operation of initiating, deposit high 16bit data in the working storage of CPLD inside in, and low 16bit data are directly read back to CY7C68013A, then read for the second time the temporal data of CPLD inside, both synthesize complete 32bit data.
Data transmission interface modular converter 12 is used for the read-write of batch data, and under data-transmission mode, PEX8311 is as main frame, and CY68013A uses the SlaveFIFO interface as slave.PEX8311 can be configured to use the 16bit data width under the DMA pattern, can mate with the data line width of CY7C68013A like this, no longer needs to do the conversion of data width.But both interface sequences remain unmatched, need CPLD to do the sequential conversion.Under the DMA pattern, PCI-E bridge controller 4 can, with the data of the object computer that obtains from PCI Express interface, transfer on the evidence obtaining computing machine that is connected with USB controller 3.
PCI-E bridge controller 4 is PCI Express buses to the bridging chip of local bus, supports 3 kinds of data transfer modes: holotype, from pattern and DMA (direct memory access (DMA)) mode, the sending and receiving of responsible packet.3 kinds of data-transmission modes of PEX8311 are as follows:
A) holotype: the main equipment on local bus is accessed PCI Express bus storage space and input/output space by PEX8311.
B) from pattern: PCI Express bus master is accessed local bus storage space and input/output space by PEX8311.
C) DMA transmission mode: PEX8311, as the main equipment of two buses, can pass data mutually between PCI Express bus storage space and Local bus storage space.
In the present invention, used these two kinds of holotype and DMA patterns, do not used from pattern.DMA mode data transmission speed is the fastest, do not need software to participate in transmitting procedure, so data transmission is mainly used this pattern., because transmission is initiated by the local bus end,, so need to use holotype, by the main frame of local bus, PEX8311 chip internal register is configured in addition, starts the DMA transmission, after this switch to the DMA pattern and carry out data transmission.
As shown in Figure 4, provided PCI Express TLP packet package head format, the length of the internal memory that rear two bit representations of shown byte 3 and byte 2 obtain, byte 8~byte 11 is used for the high 32 of storage 64-bit addressing, and byte 12~byte 15 is used for low 32 of storage 64-bit addressing.
As shown in Figure 5, having provided as the PCI Express connecting interface schematic diagram that reads the computer physics memory device of the present invention, is the definition of each pin of PCI Express interface in figure.Fig. 6, Fig. 7 have provided the circuit connection diagram as the PEX8311 chip of PCI-E bridge controller 4, it adopts three pairs of differential signals to realize the transmitting-receiving of data, port PETp0, PETn0 realize the transmission of data, port PERp0, PERn0 realize the reception of data, and REFCLK+, REFCLK-are reference clock signal.Pin corresponding to these signals access PEX8311.Wherein the transmitting terminal of PEX8311 need to seal in the Capacitor apart direct current.
CPPE# and CLKREQ# are respectively card and insert detection and clock request, herein direct ground connection.After card inserted slot, PC can detect card, starts to its power supply and clock signal is provided.
Fig. 8 has provided the circuit diagram of CY7C68013A chip as USB controller 3, and its 16 bit data port directly is connected with the low 16 bit data ports of PEX8311 chip, also by the CPLD controller, with low 16 bit ports of EX8311 chip, is connected.
The internal memory acquisition methods that reads the equipment of computer physics internal memory by PCI Express bus of the present invention comprises the following steps:
A). equipment connection, the evidence obtaining computing machine is connected with the usb 1 of internal memory fetch equipment, object computer is connected with the PCI Express interface 2 of internal memory fetch equipment;
As shown in Figure 2, provided the schematic diagram that the internal memory fetch equipment is connected with evidence obtaining computing machine, object computer, the USB interface of shown evidence obtaining computing machine 14 is connected with the USB interface on internal memory fetch equipment 13, and the PCI Express interface on object computer 15 is connected with the PCI Express interface on internal memory fetch equipment 13.
B). the equipment configuration is configured to the internal memory fetch equipment Memory Controller Hub that is connected with object computer with the PCI-to-PCI bridge, the information of avoiding on object computer occurring searching driver;
In order to need not the manual installation driver on object computer, PEX8311 bridging chip inside is to consist of two parts, and the one, PCI Express turns the PCI bridge, and another is that PCI turns the local bus bridge.The former is exactly the PCI to PCI bridge of a standard for the software aspect, this equipment is built-in driver in operating system, therefore can Auto-mounting.The latter is a self-defining equipment, and the user can be configured as the equipment of stating in any standard, and realizes its function.Here be configured as the Memory Controller Hub that system carries driving, can realize exempting from install driver.
Because all transmission of this equipment are all initiated by the local bus end, PCI Express end is passive reception request, so do not need the participation of any software on object computer.
C). distribute pci bus number, device number, object computer is that the internal memory fetch equipment distributes pci bus number and PCI device number, and object computer loads the driver of internal memory fetch equipment automatically;
D). parameter sends, the evidence obtaining computing machine with reading order, write order, memory address, internal memory length information as parameter, be sent in USB controller (3) by USB interface;
E). PCI allocation-E bridge controller, main frame on take the USB controller as bus, PCI-E bridge controller are slave, the parameter that the evidence obtaining computing machine is sent is sent to the PCI-E bridge controller, and the PCI-E bridge controller is according to the packet of parametric configuration read-write physical memory;
In the situation that USB controller 3, PCI-E bridge controller 4 adopt respectively CY7C68013A chip and PEX8311 chip, in this step, the parameter that the evidence obtaining computing machine is sent is sent to the PCI-E bridge controller and realizes by following steps:
Comprise the following steps to PCI-E bridge controller data writing:
E-1) gradation of .32bit data writes, and at first CY7C68013A writes the high 16bit of 32bit data in the inside working storage of CPLD logical device (7), and then the low 16bit of 32bit data is write the CPLD logical device;
E-2) combination of .32bit data, the CPLD logical device is combined high 16bit data and low 16bit data that gradation receives, forms complete 32bit data;
E-3). writing of 32bit data, the CPLD logic device writes complete 32bit data in the PEX8311 chip;
Comprise following steps from PCI-E bridge controller reading out data:
E-4) gradation of .32bit data is read, and the high 16bit of 32bit data is deposited in the working storage of CPLD logical device, and will hang down the 16bit data, directly reads back in CY7C68013A;
E-5) combination of .32bit data, CY7C68013A reads temporary high 16bit data from the CPLD logical device, and low 16bit bit data, high 16bit bit data are combined as complete 32bit data.
F). configuration gets around the UMA address field, gets around the Upper Memory Area address field in the object computer internal memory, obtains the internal storage data of object computer;
G). adopt DMA mode transfer data, the PCI-E bridge controller obtains the internal storage data of object computer by PCI Express bus, main frame on take the PCI-E bridge controller as bus, USB controller are slave, by the USB controller, internal storage data are sent to the evidence obtaining computing machine under the DMA pattern;
The DMA mode transfer can realize that PCI Express is interfaced to the direct transmission of USB interface data, and the PCI-E controller writes data the I/O queue of USB controller, and according to the full state of I/O queue, determines whether can continue to write.
H). the internal storage data analysis, the evidence obtaining computing machine carries out verification and analysis to the internal storage data that obtains.
The internal storage data that the evidence obtaining computing machine obtains is binary file, and the method for calibration in this step is the Hash verification.
The present invention is based on PCI Express bussing technique and operating system and can open the characteristics of DMA under specific circumstances, basic configuration and plug-and-play feature by means of the DMA data transfer mode of I/O equipment, various operating systems, mode by DMA realizes the access to the object computer physical memory, the physical memory packet that reads is sent to the evidence obtaining computing machine by Universal USB interface 1, in the situation that to the change of object computer internal memory is very little, realize obtaining of internal storage data, and has the ability of the above physical memory of read-write 4G.
Claims (8)
1. equipment that reads the computer physics internal memory by PCI Express bus, comprise USB controller (3), PCI-E bridge controller (4), supply module (5) and clock module (8), supply module, clock module provide respectively power supply and clock pulse signal to USB controller and PCI-E bridge controller; It is characterized in that: described USB controller is connected by CPLD logical device (7) with the PCI-E bridge controller, be provided with the USB interface (1) that is connected with the computing machine of collecting evidence on the USB controller, be provided with the PCI Express interface (2) that is connected with object computer on the PCI-E bridge controller; The CPLD logical device is for the data transmission that realizes between USB controller and PCI-E bridge controller.
2. the equipment that reads the computer physics internal memory by PCI Express bus according to claim 1, it is characterized in that: comprise the reseting module (9) that USB controller (3) and PCI-E bridge controller (4) is carried out reset operation, described USB controller is connected with program storage (6).
3. the equipment that reads the computer physics internal memory by PCI Express bus according to claim 1 and 2, it is characterized in that: be integrated with bus logic module (10), configuration interface modular converter (11) and data transmission interface modular converter (12) in described CPLD logical device (7), the bus logic module is used for determining the master slave mode of USB controller (3) and PIC-E bridge controller (4), and configuration interface modular converter, data transmission interface modular converter are used for conversion timing sequence and highway width.
4. the equipment that reads the computer physics internal memory by PCI Express bus according to claim 3, it is characterized in that: described USB controller (3) adopts the chip of CY7C68013A model, PCI-E bridge controller (4) adopts the chip of PEX8311 model, and the model of described CPLD logical device (7) is EPM240; 16 bit data ends of USB controller are connected with the low 16 bit data ends of PCI-E bridge controller, and the high 16 bit data ends of PCI-E bridge controller are connected with 16 bit data ends of USB controller through data transmission interface modular converter (12); The control signal of USB controller, PCI-E bridge controller all is connected with the configuration interface modular converter, and the bus arbitration signal of USB controller, PCI-E bridge controller all is connected with bus logic module (10).
5. the equipment that reads the computer physics internal memory by PCI Express bus according to claim 1 and 2, it is characterized in that: the input end of described supply module (5) is connected with the upper power lead of USB interface (1).
6. one kind based on the internal memory acquisition methods that reads the equipment of computer physics internal memory by PCI Express bus claimed in claim 1, it is characterized in that, comprises the following steps:
A). equipment connection, the evidence obtaining computing machine is connected with the USB interface (1) of internal memory fetch equipment, object computer is connected with the PCI Express interface (2) of internal memory fetch equipment;
B). the equipment configuration is configured to the internal memory fetch equipment Memory Controller Hub that is connected with object computer with the PCI-to-PCI bridge, the information of avoiding on object computer occurring searching driver;
C). distribute pci bus number, device number, object computer is that the internal memory fetch equipment distributes pci bus number and PCI device number, and object computer loads the driver of internal memory fetch equipment automatically;
D). parameter sends, the evidence obtaining computing machine with reading order, write order, memory address, internal memory length information as parameter, be sent in USB controller (3) by USB interface;
E). PCI allocation-E bridge controller, main frame on take the USB controller as bus, PCI-E bridge controller are slave, the parameter that the evidence obtaining computing machine is sent is sent to the PCI-E bridge controller, and the PCI-E bridge controller is according to the packet of parametric configuration read-write physical memory;
F). configuration gets around the UMA address field, gets around the Upper Memory Area address field in the object computer internal memory, obtains the internal storage data of object computer;
G). adopt DMA mode transfer data, the PCI-E bridge controller obtains the internal storage data of object computer by PCI Express bus, main frame on take the PCI-E bridge controller as bus, USB controller are slave, by the USB controller, internal storage data are sent to the evidence obtaining computing machine under the DMA pattern;
H). the internal storage data analysis, the evidence obtaining computing machine carries out verification and analysis to the internal storage data that obtains.
7. the internal memory acquisition methods that reads the equipment of computer physics internal memory by PCI Express bus according to claim 6, it is characterized in that, described USB controller (3), PCI-E bridge controller (4) adopt respectively CY7C68013A chip and PEX8311 chip, step e) in, the parameter sent of evidence obtaining computing machine is sent to the PCI-E bridge controller comprises the following steps:
Comprise the following steps to PCI-E bridge controller data writing:
E-1) gradation of .32bit data writes, and at first CY7C68013A writes the high 16bit of 32bit data in the inside working storage of CPLD logical device (7), and then the low 16bit of 32bit data is write the CPLD logical device;
E-2) combination of .32bit data, the CPLD logical device is combined high 16bit data and low 16bit data that gradation receives, forms complete 32bit data;
E-3). writing of 32bit data, the CPLD logic device writes complete 32bit data in the PEX8311 chip;
Comprise following steps from PCI-E bridge controller reading out data:
E-4) gradation of .32bit data is read, and the high 16bit of 32bit data is deposited in the working storage of CPLD logical device, and will hang down the 16bit data, directly reads back in CY7C68013A;
E-5) combination of .32bit data, CY7C68013A reads temporary high 16bit data from the CPLD logical device, and low 16bit bit data, high 16bit bit data are combined as complete 32bit data.
8. the internal memory method of obtaining that reads the equipment of computer physics internal memory by PCI Express bus according to claim 6, it is characterized in that: the internal storage data that the evidence obtaining computing machine obtains is binary file, step h) described method of calibration is the Hash verification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310345706.7A CN103399830B (en) | 2013-08-09 | 2013-08-09 | The Apparatus and method for of computer physics internal memory is read by PCI Express bus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310345706.7A CN103399830B (en) | 2013-08-09 | 2013-08-09 | The Apparatus and method for of computer physics internal memory is read by PCI Express bus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103399830A true CN103399830A (en) | 2013-11-20 |
| CN103399830B CN103399830B (en) | 2016-01-06 |
Family
ID=49563462
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310345706.7A Active CN103399830B (en) | 2013-08-09 | 2013-08-09 | The Apparatus and method for of computer physics internal memory is read by PCI Express bus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103399830B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103617112A (en) * | 2013-11-28 | 2014-03-05 | 哈尔滨理工大学科技园发展有限公司 | Embedded safety recording instrument of computer |
| CN104699582A (en) * | 2015-03-24 | 2015-06-10 | 杭州华三通信技术有限公司 | Internal memory data acquiring device, method and system |
| CN105243040A (en) * | 2015-11-11 | 2016-01-13 | 中国电子科技集团公司第四十一研究所 | Instrument programmed control system and method supporting USBTMC protocol based on PCIe bus |
| CN107968803A (en) * | 2016-10-20 | 2018-04-27 | 中国电信股份有限公司 | For long-range evidence collecting method, device, mobile terminal and the system of mobile terminal |
| CN109542815A (en) * | 2018-09-28 | 2019-03-29 | 天津市英贝特航天科技有限公司 | A kind of high-speed d/a system and working method based on USB3.0 interface |
| CN111581139A (en) * | 2020-05-06 | 2020-08-25 | 浙江宇视科技有限公司 | Compatible processing method, device and equipment of PCIe equipment and storage medium |
| CN111737178A (en) * | 2020-06-18 | 2020-10-02 | 济南互信软件有限公司 | Computer memory forensics method and equipment and memory forensics analysis system |
| CN116383015A (en) * | 2023-06-06 | 2023-07-04 | 成都安思科技有限公司 | Physical memory noninductive evidence obtaining system and method based on extensible board plug-in type |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101419536A (en) * | 2008-12-02 | 2009-04-29 | 山东省计算中心 | Computer internal memory data acquiring method and system |
| CN202205195U (en) * | 2011-07-14 | 2012-04-25 | 山东省计算中心 | Equipment for reading and writing physical memory of computer through IEEE 1394 interface |
| US20130173838A1 (en) * | 2011-12-28 | 2013-07-04 | Etron Technology, Inc. | Bridge between a peripheral component interconnect express interface and a universal serial bus 3.0 device |
| CN203386206U (en) * | 2013-08-09 | 2014-01-08 | 山东省计算中心 | Device for reading physical memory of computer through PCI Express interface |
-
2013
- 2013-08-09 CN CN201310345706.7A patent/CN103399830B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101419536A (en) * | 2008-12-02 | 2009-04-29 | 山东省计算中心 | Computer internal memory data acquiring method and system |
| CN202205195U (en) * | 2011-07-14 | 2012-04-25 | 山东省计算中心 | Equipment for reading and writing physical memory of computer through IEEE 1394 interface |
| US20130173838A1 (en) * | 2011-12-28 | 2013-07-04 | Etron Technology, Inc. | Bridge between a peripheral component interconnect express interface and a universal serial bus 3.0 device |
| CN203386206U (en) * | 2013-08-09 | 2014-01-08 | 山东省计算中心 | Device for reading physical memory of computer through PCI Express interface |
Non-Patent Citations (2)
| Title |
|---|
| 周立国等: "基于PCI Express总线的数据传输卡的设计与实现", 《电子测量技术》 * |
| 李丹等: "PCI Express总线接口板的设计与实现", 《现代电子技术》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103617112A (en) * | 2013-11-28 | 2014-03-05 | 哈尔滨理工大学科技园发展有限公司 | Embedded safety recording instrument of computer |
| CN104699582A (en) * | 2015-03-24 | 2015-06-10 | 杭州华三通信技术有限公司 | Internal memory data acquiring device, method and system |
| CN105243040A (en) * | 2015-11-11 | 2016-01-13 | 中国电子科技集团公司第四十一研究所 | Instrument programmed control system and method supporting USBTMC protocol based on PCIe bus |
| CN105243040B (en) * | 2015-11-11 | 2019-01-18 | 中国电子科技集团公司第四十一研究所 | A kind of instrument stored program controlled and method for supporting USBTMC agreement based on PCIe bus |
| CN107968803A (en) * | 2016-10-20 | 2018-04-27 | 中国电信股份有限公司 | For long-range evidence collecting method, device, mobile terminal and the system of mobile terminal |
| CN109542815A (en) * | 2018-09-28 | 2019-03-29 | 天津市英贝特航天科技有限公司 | A kind of high-speed d/a system and working method based on USB3.0 interface |
| CN111581139A (en) * | 2020-05-06 | 2020-08-25 | 浙江宇视科技有限公司 | Compatible processing method, device and equipment of PCIe equipment and storage medium |
| CN111737178A (en) * | 2020-06-18 | 2020-10-02 | 济南互信软件有限公司 | Computer memory forensics method and equipment and memory forensics analysis system |
| CN111737178B (en) * | 2020-06-18 | 2024-02-09 | 济南互信软件有限公司 | Method and equipment for obtaining evidence in computer memory and memory evidence analysis system |
| CN116383015A (en) * | 2023-06-06 | 2023-07-04 | 成都安思科技有限公司 | Physical memory noninductive evidence obtaining system and method based on extensible board plug-in type |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103399830B (en) | 2016-01-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103399830B (en) | The Apparatus and method for of computer physics internal memory is read by PCI Express bus | |
| CN103064805B (en) | SPI controller and communication means | |
| JP2011065685A (en) | Bus system based on open type core protocol | |
| CN109828941A (en) | AXI2WB bus bridge implementation method, device, equipment and storage medium | |
| CN106845219B (en) | A kind of intrusion detection smart machine for multiple types of data | |
| US8339869B2 (en) | Semiconductor device and data processor | |
| US20160110309A1 (en) | Device power management state transition latency advertisement for faster boot time | |
| CN107194257B (en) | Trusted system based on domestic TCM chip | |
| CN114564427A (en) | Bus bridge, system and method from AHB bus to I2C bus | |
| EP2639703B1 (en) | Device for booting soc chip and soc chip | |
| CN111737178B (en) | Method and equipment for obtaining evidence in computer memory and memory evidence analysis system | |
| CN102708079B (en) | Be applied to the method and system of the control data transmission of microcontroller | |
| Chhikara et al. | Implementing communication bridge between I2C and APB | |
| CN203386206U (en) | Device for reading physical memory of computer through PCI Express interface | |
| CN106815163B (en) | Have the System on Chip/SoC and its PCI-E root port controller of warm connection function | |
| US8473920B2 (en) | Application initiated tracing of its operation beginning with reset | |
| CN207650794U (en) | A kind of desktop mainboard based on Feiteng processor | |
| Paunikar et al. | Design and implementation of area efficient, low power AMBA-APB Bridge for SoC | |
| CN104331381B (en) | The anti-interference output intent of SPI chips | |
| CN107770228B (en) | 1-Wire communication system and method based on CPCI master control | |
| Mroczek | SoPC-based DMA for PCI Express DAQ cards | |
| Bhakthavatchalu et al. | Design and analysis of low power open core protocol compliant interface using VHDL | |
| CN116561036B (en) | Data access control method, device, equipment and storage medium | |
| CN107562673A (en) | One kind is applied to embedded processor bus protocol conversion bridge-set | |
| CN210109798U (en) | DSP and PC communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 250014 Ji'nan Province, Shandong Province, Lixia District, Department of road, No. 19, Shandong Computing Center Patentee after: SHANDONG COMPUTER SCIENCE CENTER Address before: 250014 Ji'nan Province, Shandong Province, Lixia District, Department of road, No. 19, Shandong Computing Center Patentee before: Shandong Prov. Computing Center |
|
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20131120 Assignee: Shandong Zhengfang Renhe Information Technology Co., Ltd. Assignor: SHANDONG COMPUTER SCIENCE CENTER Contract record no.: 2016370000039 Denomination of invention: Equipment and method for reading computer physical memory through PCI Express bus Granted publication date: 20160106 License type: Common License Record date: 20160729 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model |