Windows’da RAM İmajı için Kernel Mode RAM Sürücüsü

Year 2019, Volume: 23 Issue: 2, 498 - 504, 25.08.2019

Ahmet Ali Süzen Kubilay Taşdelen Ecir Uğur Küçüksille

https://doi.org/10.19113/sdufenbed.529039

Abstract

Adli
bilişim alanındaki elektronik delil etme sürecinde, ilk müdahale ile canlı
analiz önemli bir yer tutmaktadır. Canlı analiz ile uçucu verilerden delil elde
etme, RAM (Random Access Memory) ‘in imajı alınarak gerçekleştirilir. Alınan
imajdan veri kazımak için RAM’ in tamamının kopyalanması gerekmektedir. Fakat Windows
işletim sisteminde default olarak User-Mode kullanıldığı için sadece çalışan
process’lere erişilebilmektedir.  Bu
nedenle RAM imajı yazılımlarının Kernel-Mode seviyesinde çalışması gerekmektedir.
Bu çalışmada, RAM imajı yazılımlarının Kernel-Mode’da çalışabilmesi için WDK
(Window Driver Kit) ile RAM sürücüsü geliştirilmiştir. Geliştirilen sürücü,
Windows 8, 8.1 ve 10 (32 bit ve 64 bit) işletim sistemlerinde çalışmaktadır.
Geliştirilen RAM sürücü aracılığıyla RAM’in sanal adreslerine, fiziksel
adreslerine ve tablo sayfalarına erişilebilmektedir. Böylece sürücüyü kullanan
imaj alma yazılımların, RAM’i bit-to-bit kopyalamasına imkân sağlanmaktadır.
Ayrıca, bu sürücü kullanarak c++ dilinde bir ram imajı alma programı
geliştirilmiştir.  İmaj alma yazılımı
RAM’e yüklendiğinde 156 KB’lık yer kaplamaktadır. Geliştirilen RAM sürücüsü ve
yazılımının, imaj alma yazılımları arasında RAM’ı en az kullandığı
görülmektedir. Ayrıca literatürde WDK ile geliştirilen Kernel Mode RAM sürücüsü
hakkında çalışma bulunmamaktadır.

Keywords

C++, Çekirdek mod sürücü, Hafıza adli bilişimi, RAM mimarisi

Development of Kernel Mode RAM Driver for RAM Image on Windows

Abstract

In the
field of computer forensics live analysis through immediate intervention is an
important way of gathering electronic evidence. The way to obtain evidence from
volatile data using live analysis is to take an image of the RAM (Random Access
Memory). The entire RAM has to be copied in order to import data from this
image. However, since the user mode is the default mode in Windows operating
systems only the running processes can be accessed.  Therefore, RAM imaging software needs to work
at Kernel Mode level. In this study, a RAM driver was developed using WDK
(Window Driver Kit) to enable RAM imaging software to run in Kernel Mode. The
developed driver works on Windows 8, 8.1 and 10 (32 bit and 64 bit) operating
systems. Virtual addresses, physical addresses and table pages for RAM can be
accessed using the developed RAM driver. In this way, image acquisition
software using this driver is able to carry out bit-to-bit copying of RAM. In
addition, a program to import a RAM image in c ++ using this driver has also
been developed. When the image retrieval software is installed in RAM it
occupies a meager 156 KB of space. Compared to the existing image acquisition
software, the developed RAM driver and software seem to use the least RAM. In
addition, there are no examples of Kernel Mode RAM Drivers developed using WDK
in the literature.

Keywords

C++, Kernel-mode driver, Memory forensics, RAM architecture

References

• [1] Amari, K. (2009). Techniques and tools for recovering and analyzing data from volatile memory. SANS Institute InfoSec Reading Room.
• [2] Ariffin, K. A. Z., Mahmood, A. K., Jaafar, J., & Shamsuddin, S. (2015). Tracking File's Metadata from Computer Memory Analysis. In Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM), 2015 IEEE International Conference on (pp. 975-980). IEEE. https://doi.org/10.1109/CIT/IUCC/DASC/PICOM.2015.147
• [3] Butler, J., & Murdock, J. (2011). Physical Memory Forensics for Files and Cache. Craigchamberlain.Dreamhosters.Com. Retrieved fromhttp://www.craigchamberlain.dreamhosters.com/blackhat2011/materials/Butler/BH_US_11_ButlerMurdock_Physical_Memory_ForensicsWP.pdf%5Cnpapers2://publication/uuid/0D588947-26F8-4823-86C4-B1E231D50CD4
• [4] Vidas, T. (2007). The Acquisition and Analysis of Random Access Memory. Journal of Digital Forensic Practice, 1(4), 315–323. https://doi.org/10.1080/15567280701418171
• [5] Dolan-Gavitt, B. (2007). The VAD tree: A process-eye view of physical memory. Digital Investigation, 4(SUPPL.), 62–64. https://doi.org/10.1016/j.diin.2007.06.008
• [6] Garcia, G. L. (2007). Forensic physical memory analysis: an overview of tools and techniques. In TKK T-110.5290 Seminar on Network Security, 305–320.
• [7] Russinovich,M., Solomon, A., Ionescu, A., Windows Internals (6th Edition), Part 2, Microsoft Press, 2012.
• [8] Petroni, N. L., Walters, Aa., Fraser, T., & Arbaugh, W. A. (2006). FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4), 197–210. https://doi.org/10.1016/j.diin.2006.10.001
• [9] Richard III, G. G., & Roussev, V., (2005). Scalpel: A Frugal, High Performance File Carver. In DFRWS.
• [10] Ruichao.Z, Lianhai. W, Shuhui. Z., (2009). Windows Memory Analysis Based on KPCR. In: Fifth International Conference on Information Assurance and Security, vol. 2, pp.677-680.
• [11] Schatz, B., Director, E., (2007). Recent developments in volatile memory forensics. URL: http://www. schatzforensic.com/presentations/BSchatz-CERT-CSD2007 .pdf.
• [12] Zhang, L., Zhang, D., & Wang, L. (2010). Live digital forensics in a virtual machine. ICCASM 2010 - 2010 International Conference on Computer Application and System Modeling, Proceedings, 4(Iccasm), 328–332. https://doi.org/10.1109/ICCASM.2010.5620364
• [13] Simon, M., Slay, J., (2010). Recovery of Skype Application Activity Data from Physical Memory, 2010 International Conference on Availability, Reliability and Security, p: 284-288s.
• [14] Okolica, J., & Peterson, G. L. (2010). Windows operating systems agnostic memory analysis. Digital investigation, 7, S48-S56.
• [15] Sitaraman, S. (2006). Computer and Network Forensics. Digital Crime and Forensic Science in Cyberspace. Hershey: Idea Group Inc. pp. 55-74.
• [16] Stüttgen, J., Vömel, S., & Denzel, M. (2015). Acquisition and analysis of compromised firmware using memory forensics. Digital Investigation, 12, S50–S60.
• [17] Li, S., Jia, X., Lv, S., & Shao, Z. (2010). Research and application of USB filter driver based on windows kernel. 3rd International Symposium on Intelligent Information Technology and Security Informatics, IITSI 2010, 438–441. https://doi.org/10.1109/IITSI.2010.10
• [18] Matousek, T., & Jezek, P. (2009). DeSpec: Modeling the Windows Driver Environment. Electronic Notes in Theoretical Computer Science, 203(7), 55–69. https://doi.org/10.1016/j.entcs.2009.03.026
• [19] Liwei, W. (2007). The Development of Device Driver under the Windows Operation System [J]. Computer & Digital Engineering, 3, 066.
• [20] Ni, T., Yin, Z., Wei, Q., & Wang, Q. (2012, November). High-Coverage Security Testing for Windows Kernel Drivers. In Multimedia Information Networking and Security (MINES), 2012 Fourth International Conference on (pp. 905-908). IEEE.
• [21] Van Baar, R. B., Alink, W., & van Ballegooij, A. R. (2008). Forensic memory analysis: Files mapped in memory. Digital Investigation, 5(SUPPL.), 52–57. https://doi.org/10.1016/j.diin.2008.05.014
• [22] Okolica, J. S., & Peterson, G. L. (2011). Windows driver memory analysis: A reverse engineering methodology. Computers & Security, 30(8), 770-779.
• [23] Matousek, T., & Jezek, P. (2009). DeSpec: Modeling the Windows Driver Environment. Electronic Notes in Theoretical Computer Science, 203(7), 55–69. https://doi.org/10.1016/j.entcs.2009.03.026
• [24] Vömel, S., & Freiling, F. C. (2011). A survey of main memory acquisition and analysis techniques for the windows operating system. Digital Investigation, 8(1), 3–22. https://doi.org/10.1016/j.diin.2011.06.002
• [25] Vömel, S., & Stuttgen, J. (2013). An evaluation platform for forensic memory acquisition software. Digital Investigation, 10(SUPPL.), 30–40. https://doi.org/10.1016/j.diin.2013.06.004