Development of Kernel Mode RAM Driver for RAM Image on Windows

Adli bilisim alanindaki elektronik delil etme surecinde, ilk mudahale ile canli analiz onemli bir yer tutmaktadir. Canli analiz ile ucucu verilerden delil elde etme, RAM (Random Access Memory) ‘in imaji alinarak gerceklestirilir. Alinan imajdan veri kazimak icin RAM’ in tamaminin kopyalanmasi gerekmektedir. Fakat Windows isletim sisteminde default olarak User-Mode kullanildigi icin sadece calisan process’lere erisilebilmektedir.  Bu nedenle RAM imaji yazilimlarinin Kernel-Mode seviyesinde calismasi gerekmektedir. Bu calismada, RAM imaji yazilimlarinin Kernel-Mode’da calisabilmesi icin WDK (Window Driver Kit) ile RAM surucusu gelistirilmistir. Gelistirilen surucu, Windows 8, 8.1 ve 10 (32 bit ve 64 bit) isletim sistemlerinde calismaktadir. Gelistirilen RAM surucu araciligiyla RAM’in sanal adreslerine, fiziksel adreslerine ve tablo sayfalarina erisilebilmektedir. Boylece surucuyu kullanan imaj alma yazilimlarin, RAM’i bit-to-bit kopyalamasina imkân saglanmaktadir. Ayrica, bu surucu kullanarak c++ dilinde bir ram imaji alma programi gelistirilmistir.  Imaj alma yazilimi RAM’e yuklendiginde 156 KB’lik yer kaplamaktadir. Gelistirilen RAM surucusu ve yaziliminin, imaj alma yazilimlari arasinda RAM’i en az kullandigi gorulmektedir. Ayrica literaturde WDK ile gelistirilen Kernel Mode RAM surucusu hakkinda calisma bulunmamaktadir.


Introduction
In the prosecution of cybercrimes, electronic evidence is needed rather than physical evidence. In particular, RAM must be tampered with in order to collect evidence [1]. This means copying the data stored in the RAM onto a disc using image acquisition software. Electronic evidence is obtained by applying the data-carving methods noted in image [2].
Studies conducted in the 1990s revealed just how important the data stored in RAM is. However, no method for obtaining this data had yet been developed [3]. The first ever RAM image acquisition and analysis application is known as KNTTools, and was developed in 2005. Using KNTTools, the RAM image is subjected to a thread search analysis [4]. In studies made between 2006 and 2012 using Windows XP data of less than 4KB was extracted from RAM using search and carve methods. With the restriction of full access to RAM in the Windows Vista operating system, these studies lost their validity. [5][6][7][8][9][10]. For Windows Vista, 7, 8, 8.1 and 10 operating systems a Kernel Mode RAM driver is required in order to obtain RAM images [11]. RAM driver and image acquisition software using this driver have been developed by commercial companies and open source developers. However, the studies in the literature were all carried out using commercially available software [12].
In Windows operating systems the RAM image shows what operations were performed by the user. In studies in the literature RAM was scanned to identify pictures, document files, malware detection and running processes [13][14][15][16]. The results obtained from the scans were found to vary depending on the operating system version, RAM capacity and received image management. In the analysis process, high success has been achieved in the data resulted in the detection of images, malware and running processes [13,14]. However, it is seen that the success rate for obtaining the data from document files is also very low [15,16].
There are two types of security level in the Windows operating system: ring0 (kernel mode) and ring3 (user mode). The commands sent directly from the processor to the RAM are processed in Kernel Mode. Applications that run through APIs run in User Mode since they do not have direct hardware access [17].
In Windows operating systems 50% of the available RAM is allocated to Kernel Mode for exclusive use and the remaining 50% to User Mode [18]. The operating system makes virtual addressing in RAM with 4KB page sizes. For a 32-bit operation, the maximum virtual address space is 2GB in size and in the address range 0x00000000 through 0x7FFFFFFF. For a 64-bit operation the maximum virtual address space is 8 TB in size in the address range 0x000'00000000 -0x7FF'FFFFFFFF [19].
In our study a Kernel Mode RAM Driver was developed for use in RAM image acquisition software. When the driver is installed on the system it provides Kernel Mode access to the software using it. This allows access to all of the virtual and physical addresses created for RAM. The RAM image acquisition software was developed using the coded Kernel Mode RAM Driver.

Kernel mode and user mode
There are four different security levels for x86 or x64 processors. These are ring0 (kernel mode), ring1, ring2 and ring3 (user mode) [20]. In Windows operating systems, Kernel and User Mode are utilized. The processor switches between the two modes depending on the type of command that runs on it. Applications run in User Mode. The core operating system components also run in Kernel Mode. At the same time, while many drivers run in Kernel Mode some drivers are able to run in User Mode. When a User Mode application is started, the Windows operating system creates a process for the application. The process provides an applicationspecific virtual address space and a custom handling table. Since an application's virtual address space is private the application cannot change the data of another application. Each application runs on its own. If a crash happens the lockdown is limited to this application. Other applications and operating systems are not affected by the lockdown [21]. At the User Mode security level the virtual address space is limited. A process running in User Mode cannot access the virtual addresses reserved for the operating system. Limiting the virtual address space of a User Mode application prevents the application from changing and damaging critical system data. Commands running in kernel mode share a single common virtual address space. Therefore, if the Kernel Mode driver mistakenly writes to a different virtual address it could put the operating system or other driver's data in jeopardy. In addition, if a Kernel Mode driver generates an error in the system the operating system is also affected by this error [22]. The diagram in Figure 1 shows the interaction structure between User and Kernel Mode components.

RAM management
The virtual address range available for a process is called the process's virtual address space. In User Mode each process has its own virtual address space. For a 32-bit process the virtual address space is between 0x00000000 and 0x7FFFFFFF. For a 64-bit process the virtual address space is between 0x000'00000000 -0x7FF'FFFFFFFF. The virtual addresses defined for the process are also called virtual memory [18]. Figure 2 shows the location of two 64-bit processes named myapp.exe and myapp1.exe in RAM. Both processes are located at addresses in the virtual address space. Both processes are stored in shadowed 4 KB pages. In the virtual space three adjacent addresses of the MyApp.exe process and the two adjacent addresses in the myapp1.exe process are mapped to non-adjacent addresses on the RAM page. Again, the two processes are also paged in an address that is different from the addresses in the virtual address space [24]. In User Mode the virtual address space for the 32-bit operating system is 2 GB and 8 TB for the 64-bit system. In Kernel Mode the virtual address space for the 32-bit operating system is 2 GB and 248 TB for the 64-bit system [24].

EPROCESS
All processes running on the Windows operating system are kept in the EPROCESS (Executive Process) table. The EPROCESS table stores the process ID, creation date, release date, and exit status information of the running process [19].

PEB
The Process Environment Block (PEB) is where one of the data structures in EPROCESS, the properties, attributes, memory addresses, operating system version and DLL information of the running process are stored. In addition, the initial address of the running process is also accessed from the PEB [12].

File_Object
The File_Object table is where I / O functions, file names, and cache information of the terminated process created by the Windows operating system are kept. At the same time, File_Object also contains the folder and device information for the open files [25].

Pagefile.sys
Pagefile.sys is the system file that the Windows operating system uses as a temporary memory when RAM capacity is insufficient. This system file must be included in the RAM image in order to perform a complete analysis in computer forensics processes [25].

Windows driver kit
The WDK is the library used to develop User or Kernel Driver Mode with C ++ using the Visual Studio platform as shown in Figure 3. To use a User or Kernel Mode Driver developed with the WDK it has to be signed and tested. The Windows Hardware Certification Kit and the Hardware Lab Kit are used for signing and testing in the WDK.

Kernel mode ram driver development
The Windows driver was developed with the C ++ programming language in the WDK template using the Windows Driver Frameworks (WDF) library. The WDK required to develop the driver is included in the Visual Studio 2015 and 2017 platforms. The WDK is also used in Windows 7 and later operating systems.
The developed driver needs to have a digital signature in order to be able to run in the operating system. Extended Validation Code Signing Certificates (EVCSC) were used to provide digital signatures for the Kernel Mode Driver. EVCSC are digital signature certificates that include the hardware security modules required for the operation of the Kernel Mode driver in operating systems. This certificate is purchased from security companies for commercial use. Digital signing is done with the Test Certificate Kit during driver development and testing with WDK. The Test Certificate Kit is software that enables the Kernel Mode driver to be tested and used in the Windows operating system. To use the certificate generated with the Test Certificate Kit the Windows operating system must be configured to "disable driver signing enforcement" in the initial settings.
When a new kernel driver is installed in the operating system it communicates with I/O, Power and Plug & Play managers. During the initial installation of the driver a request is sent to the I/O manager. This request is made with the IRPs (I / O Request Packets) parameters in the driver file. The driver to be loaded must respond correctly to the I/O manager's request with the IRPs parameter. If incorrect parameters are sent this causes a lockout, freezing or blue screen errors since it will be through Kernel Mode [12].
The driver development process begins with the opening of a new Kernel Mode Driver template via Visual Studio 2017, as shown in Figure 4. In the new project template, driver.c has been created in order to create the driver, and the c ++ library file address_pte_list has been created in order to access the addresses on the PTE. The functions DriverEntry and A2SRamDriverEvtDeviceAdd, which send requests to the I/O manager in the Driver.c file are defined as in Figure 5. The FILE_READ_DATA function of the library wdm.h in WDF is used to give the driver access to RAM addresses. The IoCreateDeviceSecure function needs to be set as shown in Figure 6 to give the driver access to RAM. After the driver is loaded into the system, device identification is performed to access RAM via the image acquisition software. #define A2S_DEVICE_NAME L"a2sram" When the driver is loaded into the system, the IRPs parameters are communicated to the I/O manager via the IRP_MJ_READ and IRP_MJ_WRITE functions, which are referenced from the library wdm.h as shown in Figure 7. The ___outword and __inword functions of the wdm.h library provide access to RAM address ranges using the functions shown in Figure 8. In addition, test data and read commands are sent to each address. In this way, address jump is prevented when the RAM's image is taken. The RAM driver must have a digital signature file in order to be loaded into the operating system. The digital signature can be obtained by following the path Signing> Test Certificate> Create Test Certificate from the Properties window of the Project (Figure 9).

Testing the kernel mode driver
To create the Kernel Mode RAM Driver's system files the project must first be compiled. After compilation a driver installation file named A2SRamDriver.sys and a Kernel Mode driver named A2SRamDriver.inf are generated in the Debug folder. The developed drivers are compiled separately for 32bit and 64bit in Visual Studio, and driver files are created.
The developed RAM driver file needs to be tested using image acquisition software. Image acquisition is carried out in different RAM capacities on Windows 8, 8.1 and 10 (32 and 64 bit) operating systems. The 2GB pagefile.sys file allocated by the memory management is also included in the image. The driver usage model for the image acquisition software is given in Figure 10. As can be seen in Fig. 11, the driver has been successfully loaded into the system and the RAM bit-to-bit image has been taken.

Conclusion and Future Work
The operating system stores user-generated processes and data in RAM. Therefore, data crucial data to the prosecution of cybercrimes are very likely to be found in RAM. A bit-to-bit image must be retrieved in order to collect data from RAM.
The purpose of the study is to copy the entire contents of the RAM from the user interface in the operating system. A Kernel Mode driver has been developed that provides full access to RAM to achieve this goal. The developed Kernel Mode RAM driver has been tested on Windows 8, 8.1 and 10 (32 and 64 bit) operating systems, and image acquisition has been achieved. The durations of image capture in each operating system version for different RAM sizes are given in Table 1. As can be seen, the larger the RAM size, the longer it takes to obtain an image. Moreover, it seems that the installation of the operating system on either a virtual or a physical machine has no effect on the image acquisition time. When acquiring a RAM image the image retrieval software needs to occupy the minimum of RAM space since it is possible to accidentally delete the existing data when installing the image retrieval software. The developed RAM driver and image acquisition software take up 156KB of RAM. Therefore, this software is the less likely to cause data loss when compared to the image acquisition software given in Table 2. There are studies in the literature involving kernel process development [7]. These studies worked on Windows Vista and earlier operating systems [7,11].
There are no studies related to the development of Kernel Mode RAM drivers. The images used in RAM analysis were taken from open source code or commercial software [3,5,8,9].
The study was developed with a view to application in computer forensics. The Kernel Mode driver provides access to all RAM addresses and operations. Future work planned for this includes data scraping operations on the RAM image. The goal is to allow access to such user information as password, picture, word and pdf files as a result of file searching and file carving.