CN103399830B - The Apparatus and method for of computer physics internal memory is read by PCI Express bus - Google Patents
The Apparatus and method for of computer physics internal memory is read by PCI Express bus Download PDFInfo
- Publication number
- CN103399830B CN103399830B CN201310345706.7A CN201310345706A CN103399830B CN 103399830 B CN103399830 B CN 103399830B CN 201310345706 A CN201310345706 A CN 201310345706A CN 103399830 B CN103399830 B CN 103399830B
- Authority
- CN
- China
- Prior art keywords
- pci
- data
- internal memory
- controller
- bridge controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
Do you of the present inventionly pass through PCI? Express bus reads the equipment of computer physics internal memory, comprise USB controller, PCI-E bridge controller, USB controller is connected by CPLD logical device with PCI-E bridge controller, and USB controller, PCI-E bridge controller are connected with evidence obtaining computing machine, object computer respectively.Internal memory acquisition methods comprises: a). equipment connection; B). internal memory fetch equipment is configured to PCI-to-PCI; C). distribute pci bus number, device number; D). parameter sends; E). PCI allocation-E bridge controller; F). configuration gets around UMA address field; G). adopt DMA mode transfer data; H). internal storage data analysis.Present invention achieves the reading of object computer memory information under cryptoguard state (as screen protection, lock-out state); there are 64 bit address space access abilities; more than 4G physical memory data can be read; improve the dirigibility of online evidence obtaining, integrality and credibility, there is very high use value.
Description
Technical field
The present invention relates to a kind of Apparatus and method for reading computer physics internal memory, in particular, particularly relate to a kind of Apparatus and method for being read computer physics internal memory by PCIExpress bus.This method will be applied to computer forensics field, be mainly used in the investigation and evidence collection of information security events and all kinds of computer crime case.
Background technology
The information of status when some energy descriptive system is attacked is there is, as progress information, thread information, the fileinfo opened, network connection information etc. in computer physics internal memory.These information disappear along with the shutdown of computer system.Therefore, particularly important to there is computer forensics aspect in acquisition computer physics.For advancing the development of physics memory analysis technology, DFRWS(DigitalForensicResearchWorkshop) activity of " ForensicsChallenge " by name was proposed in 2005, movable theme is exactly physical memory analysis.From then on, the analysis of physical memory and acquisition are become to the study hotspot of computer forensics.
When computing machine does not shut down, what obtain its physical memory has following several method:
A. hardware based method;
A-1. use Tribble equipment, BrianCan'ier and JoeGrand proposes a kind of method that hardware expanding card with " Tribble " by name obtains system physical internal memory, can be copied in external storage equipment by the physical memory of system with Tribble.Author constructs the Tribble equipment of-one principle (proof-of-concept), devises the PCI Mezzanine Card that can be inserted into system bus.The advantage of this kind of hardware device of Tribble is used to be easy to operate, easy to understand.Disadvantage is that hardware must be installed in system in advance, so Tribble equipment can't be widely used.A-2. use FireWire devices, FireWire (live wire) is a kind of High Speed I/O technology developed based on the technology developed by former Apple, and it can connect peripherals and computing machine.This technology is formally received to IEEE1394 industrial standard (FireWire400) in nineteen ninety-five.Utilize the property of FireWire devices, use corresponding software, investigator can obtain the physical memory mirror image of system.FireWire devices uses direct memory access (DMA) technology, can not pass through the direct access system internal memory of CPU.Use the advantage of FireWire devices be present many computer systems mainboard on be all integrated with FireWire/IEEE1394 interface, can direct access system internal memory easily; Shortcoming be the maximum support of live wire addressing space to 32, therefore cannot obtain the information in more than 4G internal memory by fire-wire interfaces.B. based on the method for software;
B-1. use Microsoft collapse dump technology WindowsNT, 2000 and XP all provide a kind of built-in " collapse dump " function to obtain the physical memory mirror image of system.When generating collapse dump, system can be frozen, and the data (adding the header information of about 4KB) in physical memory can be written into disk, so just intactly saves system state, and ensure from when starting to carry out collapse dump, system state can not be revised artificially.B-2. use virtual machine technique VMWare to be a popular software virtual machine, use it can create multiple stage virtual machine on a computer hardware.When running VMWare session, (suspend) this session can be hung up, namely temporary transient " freezing " system.When a VMWare session is suspended, system " physical memory " mirror image can be stored in the file of an expansion .vmem by name with DD form by VMWare.Advantage is in this way made to be the operation very simple and fast of a hang-up VMWare session, and minimum on the impact of Installed System Memory; Shortcoming generally runs directly in physical computer, under seldom operating in virtual machine by infringement system.B-3. special software is used;
(1) DD, in unix system, data dump instrument DD's is of many uses, can xcopy, also can make the mirror image of DISK to Image.GMGSystem company develops the modified version DD instrument that can be used for Windows system.\ Device \ PhysicalMemory object, this instrument can obtain the physical memory of Windows system in access in the user mode.
(2) KntDD, because DD does not support the systems such as WindowsXPSP2, WindowsVista and WindowsServer2003SP1, therefore, GMGSystem company develops again one and is called that the new tool of KntDD is for generating physics memory mirror.
(3) Nigilant32, Nigilant32 are forensic tools developed by AgileRiskManagement, have to browse hard-disk content, obtain physical memory mirror image, obtain functions such as " snapshots " of the current process run and the port opened.(4) Helix, Helix are powerful Computer Forensic Tools that directly can be started by CDROM, starting in 2003, current world-renowned computer forensics mechanism SANS using Helix as evidence obtaining training tool.Helix is actually a Knoppix remodified, and (Knoppix is a Linux release version, with addition of the content about emergency response and computer forensics.
In addition, the software that can obtain MacOSX Installed System Memory image file has DD, OSXPmem, MacMemoryReader etc.Although it is more complete to use the method for software to obtain internal memory, but because software needs to run in target computer system, therefore the possibility make to obtain physical memory mirror image in this way and can introduce extra code, the content adding acquisition is tampered, covering; Current hardware acquisition methods is subject to again the restriction of memory size 4G, and under 64 bit manipulation systems, internal memory is more than or equal to the computing machine of 4G, and some significant datas being mapped to more than 4G memory address space cannot obtain.
Summary of the invention
The present invention, in order to overcome the shortcoming of above-mentioned technical matters, provides a kind of Apparatus and method for being read computer physics internal memory by PCIExpress bus.
The equipment being read computer physics internal memory by PCIExpress bus of the present invention, comprise USB controller, PCI-E bridge controller, supply module and clock module, supply module, clock module provide power supply and clock pulse signal respectively to USB controller and PCI-E bridge controller; Its special feature is: described USB controller is connected by CPLD logical device with PCI-E bridge controller, USB controller is provided with the USB interface be connected with computing machine of collecting evidence, PCI-E bridge controller is provided with the PCIExpress interface be connected with object computer; CPLD logical device transmits for the data realized between USB controller and PCI-E bridge controller.
USB controller, PCI-E bridge controller all have the effect of bidirectional data transfers, and the USB interface on USB controller is connected with evidence obtaining computing machine, and the PCIExpress interface on PCI-E bridge controller is connected with object computer.CPLD logical device for realizing the communication between USB controller and PCI-E controller, CPLD logical device can determine USB controller and PCI-E bridge controller master slave mode, carry out sequential and highway width conversion and in dma mode internal storage data is transferred to evidence obtaining computing machine.
The equipment being read computer physics internal memory by PCIExpress bus of the present invention, comprise reseting module USB controller and PCI-E bridge controller being carried out to reset operation, described USB controller is connected with program storage.Reset circuit realizes the reset operation to USB controller and PCI-E bridge controller, and program storage can adopt EEPROM, for storing firmware program.
The equipment being read computer physics internal memory by PCIExpress bus of the present invention, bus logic module, configuration interface modular converter and data transmission interface modular converter is integrated with in described CPLD logical device, bus logic module is for determining the master slave mode of USB controller and PCI-E bridge controller, and configuration interface modular converter, data transmission interface modular converter are used for conversion timing sequence and highway width.
The equipment being read computer physics internal memory by PCIExpress bus of the present invention, described USB controller adopts the chip of CY7C68013A model, and PCI-E bridge controller adopts the chip of PEX8311 model, and the model of described CPLD logical device is EPM240; 16 bit data end of USB controller are connected with low 16 bit data end of PCI-E bridge controller, and high 16 bit data end of PCI-E bridge controller are connected with 16 bit data end of USB controller through data transmission interface modular converter; The control signal of USB controller, PCI-E bridge controller is all connected with configuration interface modular converter, and the bus arbitration signal of USB controller, PCI-E bridge controller is all connected with bus logic module.PEX8311 is the bridging chip that the PCIExpress of PLX company turns local bus.CY7C68013A chip not only containing 8051 microcontrollers, but also is provided with USB interface, namely achieves the control to whole equipment, also achieves and be connected with the port of computing machine of collecting evidence.
The equipment being read computer physics internal memory by PCIExpress bus of the present invention, the input end of described supply module is connected with the power lead of the upper of USB interface.
The internal memory acquisition methods being read the equipment of computer physics internal memory by PCIExpress bus of the present invention, its special feature is, comprise the following steps: a). equipment connection, be connected with the USB interface of internal memory fetch equipment by evidence obtaining computing machine, object computer is connected with the PCIExpress interface of internal memory fetch equipment; B). Equipments Setting, is configured to the Memory Controller Hub be connected with object computer with PCI-to-PCI bridge by internal memory fetch equipment, avoid information object computer occurring search driver; C). distribute pci bus number, device number, object computer is that internal memory fetch equipment distributes pci bus number and PCI device number, and object computer loads the driver of internal memory fetch equipment automatically; D). parameter sends, and reading order, write order, memory address, internal memory length information as parameter, are sent in USB controller by USB interface by evidence obtaining computing machine; E). PCI allocation-E bridge controller, with USB controller be the main frame in bus, PCI-E bridge controller is from machine, the parameter that evidence obtaining computing machine sends is sent to PCI-E bridge controller, and PCI-E bridge controller is according to the packet of parametric configuration read-write physical memory; F). configuration gets around UMA address field, gets around the UpperMemoryArea address field in object computer internal memory, obtains the internal storage data of object computer; G). adopt DMA mode transfer data, PCI-E bridge controller obtains the internal storage data of object computer by PCIExpress bus, with PCI-E bridge controller be the main frame in bus, USB controller is from machine, by USB controller, internal storage data is sent to evidence obtaining computing machine in dma mode; H). internal storage data analysis, evidence obtaining computing machine carries out School Affairs analysis to the internal storage data obtained.
The internal memory acquisition methods being read the equipment of computer physics internal memory by PCIExpress bus of the present invention, described USB controller, PCI-E bridge controller adopt CY7C68013A chip and PEX8311 chip respectively, step e) in, the parameter that evidence obtaining computing machine sends is sent to PCI-E bridge controller and comprises the following steps:
Comprise the following steps to PCI-E bridge controller write data:
E-1) the gradation write of .32bit data, first the high 16bit of 32bit data writes in the inside working storage of CPLD logical device (7) by CY7C68013A, and then the low 16bit of 32bit data is write CPLD logical device; E-2) combination of .32bit data, the high 16bit data that gradation receives by CPLD logical device, together with low 16bit data assemblies, form complete 32bit data; E-3) write of .32bit data, CPLD logic device is by complete 32bit data write PEX8311 chip;
Following steps are drawn together from PCI-E bridge controller read data packet:
E-4) gradation of .32bit data is read, and by the working storage of the high 16bit of 32bit data stored in CPLD logical device, and low 16bit data is directly read back in CY7C68013A; E-5) combination of .32bit data, CY7C68013A reads temporary high 16bit data from CPLD logical device, and low 16bit bit data, high 16bit bit data are combined as complete 32bit data.
The internal memory acquisition methods being read the equipment of computer physics internal memory by PCIExpress bus of the present invention, the internal storage data that evidence obtaining computing machine obtains is binary file, step h) described in method of calibration be Hash verification.
The invention has the beneficial effects as follows: the present invention, by arranging the PCIExpress interface be connected with object computer and the USB interface be connected with evidence obtaining computing machine, has plug-and-play feature.The data in calculator memory are directly read by PCIExpress interface; achieve the reading of object computer memory information under cryptoguard state (as screen protection, lock-out state); do not need operating software on computers, change very little to object computer running status.Owing to have employed PCIExpress interface bus, this equipment is made to have 64 bit address space access abilities, more than 4G physical memory data can be read, improve the dirigibility of online evidence obtaining and enhance integrality, the credibility of online evidence obtaining, there is very high use value.
System and a method according to the invention, by the support of computing machine to PCI-E equipment DMA function, makes it directly can carry out reading to the data in calculator memory and analyzes, extend useful information amount, improve the efficiency of evidence obtaining and emergency response.Secondly, in advance expansion card is installed relative in computer-internal, it only need be connected to by PCI-E expansion draw-in groove and wait computing machine of collecting evidence by native system, can read and write, install any software and hardware in advance without the need to general computer user or evidence obtaining personnel to its internal storage data.Especially, for the computing machine that offender uses, can not have preassembled expansion card, therefore, usable range is expanded relatively.Moreover utilize PCI-E bus peripheral hardware plug and play, hot swappable feature, carrying out collecting evidence with native system to ensure the instant acquisition of data, real-time.Then, utilize PCI-E equipment can send the feature of 64 bit address requests, relative to 1394 equipment, native system can access memory address in more than 4G data, the internal memory of acquisition has more integrality.Further, obtain internal memory with respect to software, native system provides better to be protected field data, the driver that the loading of system only needs a small amount of internal memory operation system to carry, the operation of system then not committed memory completely.Simultaneously native system can obtain the memory information of the computer system (Windows system and MacOSX system) under the cryptoguard state that is in (as screen protection, lock-out state).Native system evidence collecting method is simple, only needs the installation of simple plug and play hardware components, requires low to field technician, does not need the computer literacy possessing specialty, easy to utilize.
Accompanying drawing explanation
Fig. 1 is the schematic diagram of reading computer physics memory device of the present invention;
The schematic diagram that Fig. 2 is evidence obtaining computing machine, object computer is connected with internal memory fetch equipment;
Fig. 3 is the process flow diagram utilizing internal memory fetch equipment of the present invention to obtain internal storage data;
Fig. 4 is PCIExpressTLP packet header form;
Fig. 5 is the PCIExpress connecting interface of reading computer physics memory device of the present invention;
Fig. 6, Fig. 7 are the connection line figure of PEX8311 chip and PCIExpress interface;
Fig. 8 is the connected mode of CY7C68013A chip and peripheral circuit.
In figure: 1USB interface, 2PCIExpress interface, 3USB controller, 4PCI-E bridge controller, 5 supply modules, 6 program storages, 7CPLD logical device, 8 clock modules, 9 reseting modules, 10 bus logic module, 11 configuration interface modular converters, 12 data transmission interface modular converters, 13 internal memory fetch equipments, 14 evidence obtaining computing machines, 15 object computers.
Embodiment
Below in conjunction with accompanying drawing and embodiment, the invention will be further described.
As shown in Figure 1, give the schematic diagram being read the equipment of computer physics internal memory by PCIExpress bus of the present invention, it comprises USB controller 3, PCI-E bridge controller 4, usb 1, PCIExpress interface 2, CPLD logical device 7, power module 5, program storage 6, clock module 8, reseting module 9; Shown usb 1, PCIExpress interface 2 are connected with USB controller 3, PCI-E bridge controller 4 respectively, usb 1, PCIExpress interface 2 are connected with object computer with evidence obtaining computing machine respectively, are respectively used to the internal storage data of receiving target computing machine transmission and send internal storage data to evidence obtaining computing machine.
Shown supply module 5 provides burning voltage to USB controller 3 and PCI-E bridge controller 4, supply module 5 obtains the DC voltage of 5V from the power lead usb 1, exports after being translated into the operating voltage (3.3V) of USB controller 3 and PCI-E bridge controller 4.Clock module 8 is for providing the clock pulse signal needed for work to USB controller 3 and PCI-E bridge controller 4.Program storage 6 can adopt serial EEPROM chip, for depositing the firmware program of this equipment, is connected with USB controller 3 by I2C bus.Reseting module 9 is reset circuits of USB controller 3 and PCI-E bridge controller 4, realizes the reset response in equipment running process.
Shown USB controller 3 is connected by CPLD logical device 7 with PCI-E bridge controller 4, transmits with the data realized between USB controller 3 and PCI-E bridge controller.USB controller 3 adopts CY7C68013A chip, and CY7C68013A is not only built-in with 8051 microcontrollers, but also is provided with USB interface; PCI-E bridge controller 4 adopts PEX8311 chip, and PEX8311 chip is the conventional chip that conventional PCIExpress interface turns local bus.CPLD logical device 7 is made up of bus logic module 10, configuration interface modular converter 11 and data transmission interface modular converter 12, and CPLD logical device 7 can select EPM240 chip.16 bit data end of CY7C68013A are directly connected with low 16 bit data end of 32 bit data end of PEX8311, and high 16 bit data end of PEX8311 are connected with 16 bit data end of CY7C68013A through data transmission interface modular converter 12.
Bus logic module 10 is for determining the master slave mode of USB controller 3 and PCI-E bridge controller 4 in bus, and in the different stages, USB controller 3 and PCI-E bridge controller 4 are respectively as the main frame of bus with from machine; At any time, bus can only there is at most a main frame.Both are connected to bus logic module 10 respectively by two signal line, are bus request signal and bus grant respectively; First, when CY7C68013A prepares to start once to transmit, must first ask to take bus, after acquisition allows, CY7C68013A becomes bus host; After completing the configuration of PEX8311, CY7C68013A switches to from machine and discharges bus request signal, and now the bus request of PEX8311 just can obtain permission, and PEX8311 becomes bus host, starts DMA transmission.Time idle, the bus request signal of PEX8311 and CY7C68013A is all invalid, is both in idle condition.
Configuration interface modular converter 11 realizes interface sequence conversion and highway width conversion at configuration phase; The GPIF interface bit wide of CY7C68013A can only be configured to 8bit or 16bit, and PEX8311 can only be 32bit width under holotype, both do not mate, the holotype communication of 32bit width must be used the register configuration of PEX8311, therefore need here to use configuration interface modular converter 11 to do highway width conversion.Each time the read-write being decomposed into twice 16bit is needed to the access of PEX8311.Concrete steps are as follows: when writing PEX8311 register, first the high 16bit of 32bit data is write the inside working storage of CPLD logical device 7, then, while writing low 16bit, complete 32bit data one-time write PEX8311 inside is combined into the high 16bit in CPLD logical device 7.Read PEX8311 register similar, first the read operation initiated, by the working storage of high 16bit data stored in CPLD inside, low 16bit data are directly read back in CY7C68013A, then second time reads the temporal data of CPLD inside, and both synthesize complete 32bit data.
Data transmission interface modular converter 12 is for the read-write of batch data, and under data-transmission mode, PEX8311 is as main frame, and CY68013A uses SlaveFIFO interface as from machine.PEX8311 can be configured to use 16bit data width in dma mode, can mate like this with the data-line width of CY7C68013A, no longer needs to do data width conversion.But both interface sequences remain unmatched, CPLD is needed to make timing conversion.In dma mode, the data of object computer that PCI-E bridge controller 4 can will obtain from PCIExpress interface, transfer on the evidence obtaining computing machine that is connected with USB controller 3.
PCI-E bridge controller 4 is PCIExpress bus bridging chips to local bus, supports 3 kinds of data transfer modes: holotype, from pattern and DMA (direct memory access (DMA)) mode, is responsible for transmission and the reception of packet.3 kinds of data-transmission modes of PEX8311 are as follows:
A) holotype: the main equipment on local bus accesses PCIExpress Bus Memory Space and input/output space by PEX8311.
B) from pattern: PCIExpress bus master accesses local bus storage space and input/output space by PEX8311.
C) DMA transmission mode: PEX8311 is as the main equipment of two buses, can pass data mutually between PCIExpress Bus Memory Space and Local Bus Memory Space.
In the present invention, use holotype and DMA pattern these two kinds, do not used from pattern.DMA mode data transmission is fastest, does not need software to participate in transmitting procedure, and therefore data transmission is main uses this pattern.In addition because transmission is initiated by local bus end, so need to use holotype, by the main frame of local bus, PEX8311 chip internal register is configured, starts DMA transmission, after this switch to DMA pattern to carry out data transmission.
As shown in Figure 4, give PCIExpressTLP packet header form, the length of the internal memory that rear two bit representations of shown byte 3 and byte 2 obtain, byte 8 ~ byte 11 is for storing the high 32 of 64-bit addressing, and byte 12 ~ byte 15 is for storing the low 32 of 64-bit addressing.
As shown in Figure 5, giving the PCIExpress connecting interface schematic diagram into reading computer physics memory device of the present invention, is the definition of each pin of PCIExpress interface in figure.Fig. 6, Fig. 7 give the circuit connection diagram of the PEX8311 chip as PCI-E bridge controller 4, it adopts three pairs of differential signals to realize the transmitting-receiving of data, port PETp0, PETn0 realize the transmission of data, port PERp0, PERn0 realize the reception of data, and REFCLK+, REFCLK-are reference clock signal.The pin that these signals access PEX8311 is corresponding.Wherein the transmitting terminal of PEX8311 needs to seal in Capacitor apart direct current.
CPPE# and CLKREQ# is respectively card and inserts detection and clock request, herein direct ground connection.After card inserts slot, PC can detect card, starts power to it and provide clock signal.
Fig. 8 gives the circuit diagram of CY7C68013A chip as USB controller 3, and its 16 bit data port is directly connected with the low 16 bit data ports of PEX8311 chip, is also connected with low 16 bit ports of EX8311 chip by CPLD controller.
The internal memory acquisition methods being read the equipment of computer physics internal memory by PCIExpress bus of the present invention, is comprised the following steps:
A). equipment connection, be connected with the usb 1 of internal memory fetch equipment by evidence obtaining computing machine, object computer is connected with the PCIExpress interface 2 of internal memory fetch equipment;
As shown in Figure 2, give the schematic diagram that internal memory fetch equipment is connected with evidence obtaining computing machine, object computer, the USB interface of shown evidence obtaining computing machine 14 is connected with the USB interface on internal memory fetch equipment 13, and the PCIExpress interface on object computer 15 is connected with the PCIExpress interface on internal memory fetch equipment 13.
B). Equipments Setting, is configured to the Memory Controller Hub be connected with object computer with PCI-to-PCI bridge by internal memory fetch equipment, avoid information object computer occurring search driver;
In order on a target computer without the need to manual installation driver, PEX8311 bridging chip inside is made up of two parts, and one is that PCIExpress turns PCI bridge, and another is that PCI turns local bus bridge.The former is for the PCItoPCI bridge software aspect being exactly a standard, this equipment is built-in in an operating system driver, therefore can Auto-mounting.The latter is a self-defining equipment, and user can be configured as the equipment stated in any specification, and realizes its function.Here be configured as the Memory Controller Hub that system carries driving, can realize exempting from install driver.
Because all transmission of this equipment are all initiated by local bus end, PCIExpress end is passive reception request just, so do not need the participation of any software on object computer.
C). distribute pci bus number, device number, object computer is that internal memory fetch equipment distributes pci bus number and PCI device number, and object computer loads the driver of internal memory fetch equipment automatically;
D). parameter sends, and reading order, write order, memory address, internal memory length information as parameter, are sent in USB controller (3) by USB interface by evidence obtaining computing machine;
E). PCI allocation-E bridge controller, with USB controller be the main frame in bus, PCI-E bridge controller is from machine, the parameter that evidence obtaining computing machine sends is sent to PCI-E bridge controller, and PCI-E bridge controller is according to the packet of parametric configuration read-write physical memory;
When USB controller 3, PCI-E bridge controller 4 adopt CY7C68013A chip and PEX8311 chip respectively, in this step, the parameter that evidence obtaining computing machine sends is sent to PCI-E bridge controller and is realized by following steps:
Comprise the following steps to PCI-E bridge controller write data:
E-1) the gradation write of .32bit data, first the high 16bit of 32bit data writes in the inside working storage of CPLD logical device (7) by CY7C68013A, and then the low 16bit of 32bit data is write CPLD logical device;
E-2) combination of .32bit data, the high 16bit data that gradation receives by CPLD logical device, together with low 16bit data assemblies, form complete 32bit data;
E-3) write of .32bit data, CPLD logic device is by complete 32bit data write PEX8311 chip;
Following steps are drawn together from PCI-E bridge controller read data packet:
E-4) gradation of .32bit data is read, and by the working storage of the high 16bit of 32bit data stored in CPLD logical device, and low 16bit data is directly read back in CY7C68013A;
E-5) combination of .32bit data, CY7C68013A reads temporary high 16bit data from CPLD logical device, and low 16bit bit data, high 16bit bit data are combined as complete 32bit data.
F). configuration gets around UMA address field, gets around the UpperMemoryArea address field in object computer internal memory, obtains the internal storage data of object computer;
G). adopt DMA mode transfer data, PCI-E bridge controller obtains the internal storage data of object computer by PCIExpress bus, with PCI-E bridge controller be the main frame in bus, USB controller is from machine, by USB controller, internal storage data is sent to evidence obtaining computing machine in dma mode;
DMA mode transfer can realize the direct transmission that PCIExpress is interfaced to USB interface data, and data are write the I/O queue of USB controller by PCI-E controller, and determines whether to continue write according to the full state of I/O queue.
H). internal storage data analysis, evidence obtaining computing machine carries out School Affairs analysis to the internal storage data obtained.
The internal storage data that evidence obtaining computing machine obtains is binary file, and the method for calibration in this step is Hash verification.
The present invention is based on the feature that PCIExpress bussing technique and operating system can open DMA under specific circumstances, by means of the DMA data transfer mode of I/O equipment, the basic configuration of various operating system and plug-and-play feature, the access to object computer physical memory is realized by the mode of DMA, read physical memory packet is sent to evidence obtaining computing machine by Universal USB interface 1, realize the acquisition of internal storage data when changing very little to object computer internal memory, and there is the ability of read-write more than 4G physical memory.
Claims (3)
1. one kind is read the internal memory acquisition methods of the equipment of computer physics internal memory by PCIExpress bus, the equipment being read computer physics internal memory by PCIExpress bus comprises USB controller (3), PCI-E bridge controller (4), supply module (5) and clock module (8), and supply module, clock module provide power supply and clock pulse signal respectively to USB controller and PCI-E bridge controller; Described USB controller is connected by CPLD logical device (7) with PCI-E bridge controller, USB controller is provided with the USB interface (1) be connected with computing machine of collecting evidence, PCI-E bridge controller is provided with the PCIExpress interface (2) be connected with object computer; CPLD logical device transmits for the data realized between USB controller and PCI-E bridge controller;
It is characterized in that, the internal memory acquisition methods being read the equipment of computer physics internal memory by PCIExpress bus is comprised the following steps:
A). equipment connection, be connected with the USB interface (1) of internal memory fetch equipment by evidence obtaining computing machine, object computer is connected with the PCIExpress interface (2) of internal memory fetch equipment;
B). Equipments Setting, is configured to the Memory Controller Hub be connected with object computer with PCI-to-PCI bridge by internal memory fetch equipment, avoid information object computer occurring search driver;
C). distribute pci bus number, device number, object computer is that internal memory fetch equipment distributes pci bus number and PCI device number, and object computer loads the driver of internal memory fetch equipment automatically;
D). parameter sends, and reading order, write order, memory address, internal memory length information as parameter, are sent in USB controller (3) by USB interface by evidence obtaining computing machine;
E). PCI allocation-E bridge controller, with USB controller be the main frame in bus, PCI-E bridge controller is from machine, the parameter that evidence obtaining computing machine sends is sent to PCI-E bridge controller, and PCI-E bridge controller is according to the packet of parametric configuration read-write physical memory;
F). configuration gets around UMA address field, gets around the UpperMemoryArea address field in object computer internal memory, obtains the internal storage data of object computer;
G). adopt DMA mode transfer data, PCI-E bridge controller obtains the internal storage data of object computer by PCIExpress bus, with PCI-E bridge controller be the main frame in bus, USB controller is from machine, by USB controller, internal storage data is sent to evidence obtaining computing machine in dma mode;
H). internal storage data analysis, evidence obtaining computing machine carries out School Affairs analysis to the internal storage data obtained.
2. the internal memory acquisition methods being read the equipment of computer physics internal memory by PCIExpress bus according to claim 1, it is characterized in that, described USB controller (3), PCI-E bridge controller (4) adopt CY7C68013A chip and PEX8311 chip respectively, step e) in, the parameter that evidence obtaining computing machine sends is sent to PCI-E bridge controller and comprises the following steps:
Comprise the following steps to PCI-E bridge controller write data:
E-1) the gradation write of .32bit data, first the high 16bit of 32bit data writes in the inside working storage of CPLD logical device (7) by CY7C68013A, and then the low 16bit of 32bit data is write CPLD logical device;
E-2) combination of .32bit data, the high 16bit data that gradation receives by CPLD logical device, together with low 16bit data assemblies, form complete 32bit data;
E-3) write of .32bit data, CPLD logic device is by complete 32bit data write PEX8311 chip;
Following steps are drawn together from PCI-E bridge controller read data packet:
E-4) gradation of .32bit data is read, and by the working storage of the high 16bit of 32bit data stored in CPLD logical device, and low 16bit data is directly read back in CY7C68013A;
E-5) combination of .32bit data, CY7C68013A reads temporary high 16bit data from CPLD logical device, and low 16bit bit data, high 16bit bit data are combined as complete 32bit data.
3. the internal memory acquisition methods being read the equipment of computer physics internal memory by PCIExpress bus according to claim 1, it is characterized in that: evidence obtaining computing machine obtain internal storage data be binary file, step h) described in method of calibration be Hash verification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310345706.7A CN103399830B (en) | 2013-08-09 | 2013-08-09 | The Apparatus and method for of computer physics internal memory is read by PCI Express bus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310345706.7A CN103399830B (en) | 2013-08-09 | 2013-08-09 | The Apparatus and method for of computer physics internal memory is read by PCI Express bus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103399830A CN103399830A (en) | 2013-11-20 |
| CN103399830B true CN103399830B (en) | 2016-01-06 |
Family
ID=49563462
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310345706.7A Active CN103399830B (en) | 2013-08-09 | 2013-08-09 | The Apparatus and method for of computer physics internal memory is read by PCI Express bus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103399830B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103617112A (en) * | 2013-11-28 | 2014-03-05 | 哈尔滨理工大学科技园发展有限公司 | Embedded safety recording instrument of computer |
| CN104699582A (en) * | 2015-03-24 | 2015-06-10 | 杭州华三通信技术有限公司 | Internal memory data acquiring device, method and system |
| CN105243040B (en) * | 2015-11-11 | 2019-01-18 | 中国电子科技集团公司第四十一研究所 | A kind of instrument stored program controlled and method for supporting USBTMC agreement based on PCIe bus |
| CN107968803B (en) * | 2016-10-20 | 2021-06-15 | 中国电信股份有限公司 | Remote evidence obtaining method and device for mobile terminal, mobile terminal and system |
| CN109542815A (en) * | 2018-09-28 | 2019-03-29 | 天津市英贝特航天科技有限公司 | A kind of high-speed d/a system and working method based on USB3.0 interface |
| CN111581139B (en) * | 2020-05-06 | 2022-05-17 | 浙江宇视科技有限公司 | Compatible processing method, device and equipment of PCIe equipment and storage medium |
| CN111737178B (en) * | 2020-06-18 | 2024-02-09 | 济南互信软件有限公司 | Method and equipment for obtaining evidence in computer memory and memory evidence analysis system |
| CN116383015A (en) * | 2023-06-06 | 2023-07-04 | 成都安思科技有限公司 | Physical memory noninductive evidence obtaining system and method based on extensible board plug-in type |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101419536A (en) * | 2008-12-02 | 2009-04-29 | 山东省计算中心 | Computer internal memory data acquiring method and system |
| CN202205195U (en) * | 2011-07-14 | 2012-04-25 | 山东省计算中心 | Equipment for reading and writing physical memory of computer through IEEE 1394 interface |
| CN203386206U (en) * | 2013-08-09 | 2014-01-08 | 山东省计算中心 | Device for reading physical memory of computer through PCI Express interface |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN202564744U (en) * | 2011-12-28 | 2012-11-28 | 钰创科技股份有限公司 | Bridger between high-speed peripheral assembly interconnection port and USB 3.0 device |
-
2013
- 2013-08-09 CN CN201310345706.7A patent/CN103399830B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101419536A (en) * | 2008-12-02 | 2009-04-29 | 山东省计算中心 | Computer internal memory data acquiring method and system |
| CN202205195U (en) * | 2011-07-14 | 2012-04-25 | 山东省计算中心 | Equipment for reading and writing physical memory of computer through IEEE 1394 interface |
| CN203386206U (en) * | 2013-08-09 | 2014-01-08 | 山东省计算中心 | Device for reading physical memory of computer through PCI Express interface |
Non-Patent Citations (2)
| Title |
|---|
| PCI Express总线接口板的设计与实现;李丹等;《现代电子技术》;20090228;第32卷(第04期);158-161 * |
| 基于PCI Express总线的数据传输卡的设计与实现;周立国等;《电子测量技术》;20071130;第30卷(第11期);28-31 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103399830A (en) | 2013-11-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103399830B (en) | The Apparatus and method for of computer physics internal memory is read by PCI Express bus | |
| US9952643B2 (en) | Device power management state transition latency advertisement for faster boot time | |
| CN103870429B (en) | Based on the igh-speed wire-rod production line plate of embedded gpu | |
| JP2011065685A (en) | Bus system based on open type core protocol | |
| US8339869B2 (en) | Semiconductor device and data processor | |
| CN107194257B (en) | Trusted system based on domestic TCM chip | |
| JP4839484B2 (en) | Bus connection device, bus connection method, and bus connection program | |
| CN114116378A (en) | Method, system, terminal and storage medium for acquiring PCIe device temperature | |
| CN110968352B (en) | Reset system and server system of PCIE equipment | |
| EP2639703B1 (en) | Device for booting soc chip and soc chip | |
| Gaikwad et al. | Verification of AMBA AXI on-chip communication protocol | |
| CN111737178B (en) | Method and equipment for obtaining evidence in computer memory and memory evidence analysis system | |
| CN113824741A (en) | IIC device communication method, apparatus, device, system and medium | |
| TW201344444A (en) | Motherboard and data processing method thereof | |
| CN102708079B (en) | Be applied to the method and system of the control data transmission of microcontroller | |
| CN207650794U (en) | A kind of desktop mainboard based on Feiteng processor | |
| Chhikara et al. | Implementing communication bridge between I2C and APB | |
| US8473920B2 (en) | Application initiated tracing of its operation beginning with reset | |
| CN203386206U (en) | Device for reading physical memory of computer through PCI Express interface | |
| CN107770228B (en) | 1-Wire communication system and method based on CPCI master control | |
| CN113867835B (en) | Device and method for dynamic loading of DSP | |
| CN210323963U (en) | Safety main control board based on Shenwei 121 processor | |
| Li et al. | A new method of evolving hardware design based on IIC bus and AT24C02 | |
| Wei et al. | Design of the USB download interface based on embedded POS | |
| CN203133831U (en) | High-frequency ground wave radar receiver data transmission interface based on USB |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 250014 Ji'nan Province, Shandong Province, Lixia District, Department of road, No. 19, Shandong Computing Center Patentee after: SHANDONG COMPUTER SCIENCE CENTER Address before: 250014 Ji'nan Province, Shandong Province, Lixia District, Department of road, No. 19, Shandong Computing Center Patentee before: Shandong Prov. Computing Center |
|
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20131120 Assignee: Shandong Zhengfang Renhe Information Technology Co., Ltd. Assignor: SHANDONG COMPUTER SCIENCE CENTER Contract record no.: 2016370000039 Denomination of invention: Equipment and method for reading computer physical memory through PCI Express bus Granted publication date: 20160106 License type: Common License Record date: 20160729 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model |