CN109634823B - Method for analyzing dormant data of Windows operating system - Google Patents
Method for analyzing dormant data of Windows operating system Download PDFInfo
- Publication number
- CN109634823B CN109634823B CN201811462241.2A CN201811462241A CN109634823B CN 109634823 B CN109634823 B CN 109634823B CN 201811462241 A CN201811462241 A CN 201811462241A CN 109634823 B CN109634823 B CN 109634823B
- Authority
- CN
- China
- Prior art keywords
- operating system
- data
- windows operating
- page
- recovery
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3476—Data logging
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
- G06F9/4418—Suspend and resume; Hibernate and awake
Abstract
The invention discloses a method for analyzing dormant data of a Windows operating system, which is characterized by comprising the following steps of S001, importing a dormant file of the Windows operating system; s002, judging whether the hibernation file of the Windows operating system is a version below the Windows 8 operating system, if so, executing the step S005, otherwise, executing the step S003; s003, analyzing a hibernation file of the Windows operating system, acquiring a first boot recovery page and a first kernel recovery page, and acquiring offset addresses of respective recovery sets; s004, analyzing the recovery set, acquiring data of the compression set, and ending the process; s005, extracting the dormant data of the Windows operating system; s006, obtaining and analyzing the compressed block of the dormant data of the Windows operating system.
Description
Technical Field
The invention belongs to the field of electronic evidence obtaining, and particularly relates to a method for analyzing dormant data of a Windows operating system.
Background
Beginning with Windows 2000, microsoft used a new method to allow the Windows operating system to save the current running state of the system when power was turned off, which saved all data in memory and the register data of the CPU into the system file hiberfil. When the computer is powered on again for starting, the system running state of the last time of power off can be recovered from the system file hiberfil.
The dormant data of the Windows operating system is stored with the volatile data of the whole memory, so the Windows operating system is a good information source for electronic evidence collection.
In the prior art, internal memory forensics tools such as vollatinity and Rekall can analyze the sleep data of the Windows operating system, but a specific technical scheme for analyzing the sleep data of the Windows operating system is not disclosed.
Disclosure of Invention
The invention provides a method for analyzing the hibernation data of a Windows operating system, which aims at the defect of the prior art, adopts different methods to analyze by judging whether the current hibernation file is the version below the Windows 8 operating system, and comprises the following steps:
s001, importing a hibernation file of a Windows operating system;
s002, judging whether the hibernation file of the Windows operating system is a version below the Windows 8 operating system, if so, executing the step S005, otherwise, executing the step S003;
s003, analyzing a hibernation file of the Windows operating system, acquiring a first boot recovery page and a first kernel recovery page, and acquiring offset addresses of respective recovery sets;
s004, analyzing the recovery set, acquiring data of the compression set, and ending the process;
s005, extracting the dormant data of the Windows operating system;
s006, obtaining and analyzing the compressed block of the dormant data of the Windows operating system.
Preferably, the step S002 includes the steps of:
s0021, reading the value of the signature field in the head structure;
s0022, judging whether the value of the signature field in the head structure is equal to \ x81\ x81xpress, if so, executing the step S005, otherwise, executing the step S003.
The step S003 includes the steps of:
s0031, using the first address 0x0000 of a hibernation file of a Windows operating system as a starting address, reading a storage mirror structure taking the content with the byte length of 0x1000 bytes as a page object, wherein the storage mirror structure comprises a signature field, a first boot recovery page and a first kernel recovery page, the state value of the signature field is a character stored in an ASCII format, HIBR or HIBR represents hibernation, RSTR represents a state of recovering, WAKE represents waking, and HORM represents that the Windows operating system always recovers from a latest hibernation file;
s0032, reading the value of the first boot recovery page and multiplying the value by the product of 0x1000 to be used as an offset address of a recovery set of the boot recovery page, wherein the offset address is an offset address which is 0x0000 relative to the first address of a hibernation file of the Windows operating system;
and S0033, reading the value of the first kernel recovery page and multiplying the value by the product of 0x1000 to serve as the offset address of the recovery set of the first kernel recovery page, wherein the offset address is the offset address relative to the first address 0x0000 of the hibernation file of the Windows operating system.
Preferably, the step S004 includes the steps of:
s0041, each recovery set consists of a plurality of compression sets, each compression set consists of 16 physical memory pages with 4KB bytes, and the data of the compression sets is obtained, wherein each compression set takes a compression set head structure as a starting identifier;
s0042, the first 8 bytes of the compressed header structure represent the number of page descriptors, wherein the number is equal to 0 or more than 16, which represents that the hibernation file of the current Windows operating system is damaged;
and S0043, the continuous 22 bytes after the page descriptor indicate the size of the compressed data, if the size of the compressed data is equal to the number of physical memory pages in a compression set, the data of the physical memory pages is not compressed, otherwise, the data of the physical memory pages is compressed.
Preferably, the step S006 includes the steps of:
0061, each data set is composed of a plurality of compression blocks, each compression block is a physical memory page with the length of 4KB bytes, and each compression block takes a mirror image head structure as a starting identifier;
s0062, the first 8 bytes of the mirror image head structure represent a signature field, and the value of the signature field is equal to \ x81\ x81 xpress;
s0063, the continuous 10 bytes behind the signature field represent an uncompressed page, and the value of the uncompressed page represents the physical page number;
and S0064, the continuous 22 bytes after the uncompressed page represent the data size of the compressed block, wherein if the data size of the compressed block is integral multiple of 4KB, the data of the compressed block is uncompressed, otherwise, the data in the compressed block is compressed.
Preferably, the file name of the hibernation file of the Windows operating system is hiberfil.
The method has the beneficial effect of solving the technical problem that no method for analyzing the dormant data of the Windows operating system exists in the prior art.
Drawings
FIG. 1 is a main flow diagram of the present invention;
FIG. 2 is a diagram illustrating a data structure of a header structure according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a data structure of a hibernation file of a Windows 8 operating system according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated with reference to the figures and examples. As shown in fig. 1, the method of the present invention comprises the steps of:
s001, importing a hiberfil.sys of a Windows operating system;
s002, judging whether the hibernate file hiberfil.sys of the Windows operating system is the version below the Windows 8 operating system, if so, executing the step S005, otherwise, executing the step S003, wherein the specific steps comprise:
s0021, FIG. 2 shows a data structure diagram of a HEADER structure in an embodiment of the present invention, and a value of a Signature field Signature in a HEADER structure _ IMAGE _ XPRESS _ HEADER is read;
s0022, judging whether the value of the Signature field Signature in the head structure _ IMAGE _ XPRESS _ HEADER is equal to \ x81\ x81XPRESS, if so, executing the step S005, otherwise, executing the step S003.
S003, analyzing a hibernation file of the Windows operating system, acquiring a first boot recovery page FirstBooottRestorePage and a first kernel recovery page, and acquiring offset addresses of respective recovery sets, wherein the step S003 comprises the following steps:
s0031, FIG. 3 shows a data structure diagram of a hiberfil.sys of a hibernation file of a Windows 8 operating system in an embodiment of the present invention;
the structure of a storage mirror IMAGE PO _ MEMORY _ IMAGE with the initial address of 0x0000 of a hibernation file of a Windows operating system as a starting address and the content of reading bytes with the length of 0x1000 as a page object comprises a Signature field Signature, a first boot recovery page first BoootRestorePage and a first kernel recovery page first KernelRestorePage, wherein the state value of the Signature field Signature is a character stored in an ASCII format, wherein HIBR or HIBR represents hibernation, RSTR represents a recovering state, WAKE represents wakeup, and HORM represents that the Windows operating system is always recovered from a latest hibernation file;
s0032, reading the value of the first boot recovery page FirstBooottReportPage and multiplying the value by the product of 0x1000 to serve as the offset address of the recovery Set of the boot recovery page BootstresterePage, wherein the offset address is the offset address of 0x0000 relative to the first address of the hibernation file of the Windows operating system;
and S0033, reading the value of the first kernel restore page and multiplying the value by the product of 0x1000 to obtain an offset address of a restore Set of the first kernel restore page, wherein the offset address is an offset address relative to the first address 0x0000 of the hibernation file of the Windows operating system.
S004, analyzing the recovery Set, acquiring the data of the Compression Set, and ending the process; step S004 includes the following steps:
s0041, each recovery Set consists of a plurality of Compression sets, each Compression Set consists of 16 physical memory pages with 4KB bytes, data of the Compression Set is obtained, and each Compression Set takes a Compression head structure Compression _ Set _ header as an initial identifier;
s0042, the first 8 bytes of a compression header structure compression _ set _ header represent the number of page descriptors, wherein the number is equal to 0 or more than 16, and represents that the sleep file of the current Windows operating system is damaged;
and S0043, the continuous 22 bytes after the page descriptor represents the size SizeOfCompressedData of the compressed data, if the size SizeOfCompressedData of the compressed data is equal to the number of the physical memory pages in the Compression Set, the data of the physical memory pages is not compressed, otherwise, the data of the physical memory pages is compressed.
S005, extracting the dormant data of the Windows operating system;
the method of step S005 is disclosed in the invention application entitled "a method for extracting hibernation data of Windows operating system", having application number 2018105012357 and application date 2018, 05 and 23, which is incorporated herein by reference in its entirety.
S006, obtaining and analyzing a compressed Block Compression Block of the hibernation data of the Windows operating system, wherein the step S006 comprises the following steps:
s0061, each data Set XPRESS Set consists of a plurality of Compression blocks, each Compression Block is a physical memory page with the length of 4KB bytes, and each Compression Block takes a mirror IMAGE head structure _ IMAGE _ EXPRESS _ HEADER as a starting identifier;
s0062, the first 8 bytes of the mirror IMAGE HEADER structure _ IMAGE _ EXPRESS _ HEADER represent Signature field Signature, the value of which is equal to \ x81\ x81 xpress;
s0063, after Signature field Signature, 10 bytes continuously represent uncompressed pages Uncom pressed pages, and the values of the uncompressed pages are represented;
and S0064, the continuous 22 bytes after the uncompressed page Uncom compressed pages represents the data size CompressedSize of the compressed block, wherein if the data size CompressedSize of the compressed block is an integral multiple of 4KB, the data of the compressed block is uncompressed, otherwise, the data in the compressed block is compressed.
The method provided by the invention solves the technical problem that no method for analyzing the dormant data of the Windows operating system exists in the prior art.
It is to be understood that the invention is not limited to the examples described above, but that modifications and variations are possible to those skilled in the art in light of the above teachings, and that all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.
Claims (4)
1. A method for analyzing dormant data of a Windows operating system is characterized by comprising the following steps:
s001, importing a hibernation file of a Windows operating system;
s002, judging whether the hibernation file of the Windows operating system is a version below the Windows 8 operating system, if so, executing the step S005, otherwise, executing the step S003;
s003, analyzing a hibernation file of the Windows operating system, acquiring a first boot recovery page and a first kernel recovery page, and acquiring offset addresses of respective recovery sets;
s004, analyzing the recovery set, acquiring data of the compression set, and ending the process; step S004 includes the following steps:
s0041, each recovery set consists of a plurality of compression sets, each compression set consists of 16 physical memory pages with 4KB bytes, and the data of the compression sets is obtained, wherein each compression set takes a compression set head structure as a starting identifier;
s0042, the first 8 bytes of the compressed header structure represent the number of page descriptors, wherein the number is equal to 0 or more than 16, which represents that the hibernation file of the current Windows operating system is damaged;
s0043, after the page descriptor, 22 bytes represent the size of compressed data, and if the size of the compressed data is equal to the number of physical memory pages in a compression set, it represents that the data of the physical memory pages is not compressed, otherwise, it represents that the data of the physical memory pages is compressed;
s005, extracting the dormant data of the Windows operating system;
s006, acquiring and analyzing a compression block of the dormant data of the Windows operating system; step S006 includes the following steps:
0061, each data set is composed of a plurality of compression blocks, each compression block is a physical memory page with the length of 4KB bytes, and each compression block takes a mirror image head structure as a starting identifier;
s0062, the first 8 bytes of the mirror image head structure represent a signature field, and the value of the signature field is equal to \ x81\ x81 xpress;
s0063, the continuous 10 bytes behind the signature field represent an uncompressed page, and the value of the uncompressed page represents the physical page number;
and S0064, the continuous 22 bytes after the uncompressed page represent the data size of the compressed block, wherein if the data size of the compressed block is integral multiple of 4KB, the data of the compressed block is uncompressed, otherwise, the data in the compressed block is compressed.
2. The method for parsing hibernate data of a Windows operating system as claimed in claim 1, wherein the step S002 comprises:
s0021, reading the value of the signature field in the head structure;
s0022, judging whether the value of the signature field in the head structure is equal to \ x81\ x81xpress, if so, executing the step S005, otherwise, executing the step S003.
3. The method for resolving hibernation data for Windows operating systems according to claim 2, wherein said step S003 comprises the steps of:
s0031, using the first address 0x0000 of a hibernation file of a Windows operating system as a starting address, reading a storage mirror structure taking the content with the byte length of 0x1000 bytes as a page object, wherein the storage mirror structure comprises a signature field, a first boot recovery page and a first kernel recovery page, the state value of the signature field is a character stored in an ASCII format, HIBR or HIBR represents hibernation, RSTR represents a state of recovering, WAKE represents waking, and HORM represents that the Windows operating system always recovers from a latest hibernation file;
s0032, reading the value of the first boot recovery page and multiplying the value by the product of 0x1000 to be used as an offset address of a recovery set of the boot recovery page, wherein the offset address is an offset address which is 0x0000 relative to the first address of a hibernation file of the Windows operating system;
and S0033, reading the value of the first kernel recovery page and multiplying the value by the product of 0x1000 to serve as the offset address of the recovery set of the first kernel recovery page, wherein the offset address is the offset address relative to the first address 0x0000 of the hibernation file of the Windows operating system.
4. The method of claim 3, wherein the hibernation file of the Windows operating system has a filename hiberfil.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811462241.2A CN109634823B (en) | 2018-12-03 | 2018-12-03 | Method for analyzing dormant data of Windows operating system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811462241.2A CN109634823B (en) | 2018-12-03 | 2018-12-03 | Method for analyzing dormant data of Windows operating system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109634823A CN109634823A (en) | 2019-04-16 |
CN109634823B true CN109634823B (en) | 2022-03-04 |
Family
ID=66070444
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811462241.2A Active CN109634823B (en) | 2018-12-03 | 2018-12-03 | Method for analyzing dormant data of Windows operating system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109634823B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110457899B (en) * | 2019-08-12 | 2021-06-01 | 北京无线电测量研究所 | Operating system protection system and method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101620460A (en) * | 2008-07-02 | 2010-01-06 | 联想(北京)有限公司 | Computer system dormancy method and computer system |
CN103984543A (en) * | 2014-04-24 | 2014-08-13 | 浪潮电子信息产业股份有限公司 | Method for implementing standby, hibernation and wake-up on domestic FeiTeng processor |
CN108829571A (en) * | 2018-05-23 | 2018-11-16 | 四川巧夺天工信息安全智能设备有限公司 | A method of extracting Windows operating system dormant data |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6954852B2 (en) * | 2002-04-18 | 2005-10-11 | Ardence, Inc. | System for and method of network booting of an operating system to a client computer using hibernation |
-
2018
- 2018-12-03 CN CN201811462241.2A patent/CN109634823B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101620460A (en) * | 2008-07-02 | 2010-01-06 | 联想(北京)有限公司 | Computer system dormancy method and computer system |
CN103984543A (en) * | 2014-04-24 | 2014-08-13 | 浪潮电子信息产业股份有限公司 | Method for implementing standby, hibernation and wake-up on domestic FeiTeng processor |
CN108829571A (en) * | 2018-05-23 | 2018-11-16 | 四川巧夺天工信息安全智能设备有限公司 | A method of extracting Windows operating system dormant data |
Also Published As
Publication number | Publication date |
---|---|
CN109634823A (en) | 2019-04-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107481762B (en) | Trim processing method and device of solid state disk | |
CN106537327B (en) | Flash memory compression | |
CN102567146B (en) | Log backup method and device and smart card | |
CN108108394B (en) | Compressed file recovery method and storage medium of APFS file system | |
CN106201774B (en) | NAND FLASH storage chip data storage structure analysis method | |
CN109634823B (en) | Method for analyzing dormant data of Windows operating system | |
CN106445616B (en) | Method and device for upgrading terminal equipment from multiple systems to single system | |
CN104331487A (en) | Method and device for processing logs | |
CN103176852B (en) | A kind of method for interprocess communication and device | |
WO2020000947A1 (en) | Method, apparatus, and device for refreshing encapsulated bios data | |
EP2827241B1 (en) | Electronic device that executes hibernation, suspend control method and a non-transitory computer-readable recording medium | |
CN107577474A (en) | The processing method and processing device of upgrade file, electronic equipment | |
CN108694041A (en) | Data transfer device, device and service terminal | |
CN114443152B (en) | Network wake-up starting-up method and computer equipment | |
CN108829571B (en) | Method for extracting dormant data of Windows operating system | |
CN115794756A (en) | Simulation file compression method and device, equipment and storage medium | |
CN109614200A (en) | A method of extracting the hds mirror image data of Parallels Desktop virtual machine | |
CN112817526B (en) | Data storage method, device and medium | |
CN100386752C (en) | Online updating method for USB device when communication protocol constrained | |
CN104268005A (en) | Virtual machine waking method and device | |
CN111597098A (en) | Data processing method and equipment | |
CN106294002A (en) | A kind of cloud backup method and device | |
CN108052282B (en) | Unlocking method for hard disk instruction lock | |
CN108182127B (en) | Method for extracting deleted file fragments, terminal equipment and storage medium | |
CN111143110A (en) | Raid data recovery method based on metadata in logical volume management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |