AHMET ALİ SÜZEN, Kubilay TAŞDELEN, Ecir KÜÇÜKSİLLE

Windows’da RAM İmajı için Kernel Mode RAM Sürücüsü

Adli bilişim alanındaki elektronik delil etme sürecinde, ilk müdahale ile canlı analiz önemli bir yer tutmaktadır. Canlı analiz ile uçucu verilerden delil elde etme, RAM (Random Access Memory) ‘in imajı alınarak gerçekleştirilir. Alınan imajdan veri kazımak için RAM’ in tamamının kopyalanması gerekmektedir. Fakat Windows işletim sisteminde default olarak User-Mode kullanıldığı için sadece çalışan process’lere erişilebilmektedir. Bu nedenle RAM imajı yazılımlarının Kernel-Mode seviyesinde çalışması gerekmektedir. Bu çalışmada, RAM imajı yazılımlarının Kernel-Mode’da çalışabilmesi için WDK (Window Driver Kit) ile RAM sürücüsü geliştirilmiştir. Geliştirilen sürücü, Windows 8, 8.1 ve 10 (32 bit ve 64 bit) işletim sistemlerinde çalışmaktadır. Geliştirilen RAM sürücü aracılığıyla RAM’in sanal adreslerine, fiziksel adreslerine ve tablo sayfalarına erişilebilmektedir. Böylece sürücüyü kullanan imaj alma yazılımların, RAM’i bit-to-bit kopyalamasına imkân sağlanmaktadır. Ayrıca, bu sürücü kullanarak c++ dilinde bir ram imajı alma programı geliştirilmiştir. İmaj alma yazılımı RAM’e yüklendiğinde 156 KB’lık yer kaplamaktadır. Geliştirilen RAM sürücüsü ve yazılımının, imaj alma yazılımları arasında RAM’ı en az kullandığı görülmektedir. Ayrıca literatürde WDK ile geliştirilen Kernel Mode RAM sürücüsü hakkında çalışma bulunmamaktadır.

Anahtar Kelimeler:

C++, Çekirdek mod sürücü, Hafıza adli bilişimi, RAM mimarisi

Development of Kernel Mode RAM Driver for RAM Image on Windows

In the field of computer forensics live analysis through immediate intervention is an important way of gathering electronic evidence. The way to obtain evidence from volatile data using live analysis is to take an image of the RAM (Random Access Memory). The entire RAM has to be copied in order to import data from this image. However, since the user mode is the default mode in Windows operating systems only the running processes can be accessed. Therefore, RAM imaging software needs to work at Kernel Mode level. In this study, a RAM driver was developed using WDK (Window Driver Kit) to enable RAM imaging software to run in Kernel Mode. The developed driver works on Windows 8, 8.1 and 10 (32 bit and 64 bit) operating systems. Virtual addresses, physical addresses and table pages for RAM can be accessed using the developed RAM driver. In this way, image acquisition software using this driver is able to carry out bit-to-bit copying of RAM. In addition, a program to import a RAM image in c ++ using this driver has also been developed. When the image retrieval software is installed in RAM it occupies a meager 156 KB of space. Compared to the existing image acquisition software, the developed RAM driver and software seem to use the least RAM. In addition, there are no examples of Kernel Mode RAM Drivers developed using WDK in the literature.

Keywords:

C++, Kernel-mode driver, Memory forensics, RAM architecture,

PDF

___

[1] Amari, K. (2009). Techniques and tools for recovering and analyzing data from volatile memory. SANS Institute InfoSec Reading Room.
[2] Ariffin, K. A. Z., Mahmood, A. K., Jaafar, J., & Shamsuddin, S. (2015). Tracking File's Metadata from Computer Memory Analysis. In Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM), 2015 IEEE International Conference on (pp. 975-980). IEEE. https://doi.org/10.1109/CIT/IUCC/DASC/PICOM.2015.147
[3] Butler, J., & Murdock, J. (2011). Physical Memory Forensics for Files and Cache. Craigchamberlain.Dreamhosters.Com. Retrieved fromhttp://www.craigchamberlain.dreamhosters.com/blackhat2011/materials/Butler/BH_US_11_ButlerMurdock_Physical_Memory_ForensicsWP.pdf%5Cnpapers2://publication/uuid/0D588947-26F8-4823-86C4-B1E231D50CD4
[4] Vidas, T. (2007). The Acquisition and Analysis of Random Access Memory. Journal of Digital Forensic Practice, 1(4), 315–323. https://doi.org/10.1080/15567280701418171
[5] Dolan-Gavitt, B. (2007). The VAD tree: A process-eye view of physical memory. Digital Investigation, 4(SUPPL.), 62–64. https://doi.org/10.1016/j.diin.2007.06.008
[6] Garcia, G. L. (2007). Forensic physical memory analysis: an overview of tools and techniques. In TKK T-110.5290 Seminar on Network Security, 305–320.
[7] Russinovich,M., Solomon, A., Ionescu, A., Windows Internals (6th Edition), Part 2, Microsoft Press, 2012.
[8] Petroni, N. L., Walters, Aa., Fraser, T., & Arbaugh, W. A. (2006). FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4), 197–210. https://doi.org/10.1016/j.diin.2006.10.001
[9] Richard III, G. G., & Roussev, V., (2005). Scalpel: A Frugal, High Performance File Carver. In DFRWS.
[10] Ruichao.Z, Lianhai. W, Shuhui. Z., (2009). Windows Memory Analysis Based on KPCR. In: Fifth International Conference on Information Assurance and Security, vol. 2, pp.677-680.
[11] Schatz, B., Director, E., (2007). Recent developments in volatile memory forensics. URL: http://www. schatzforensic.com/presentations/BSchatz-CERT-CSD2007 .pdf.
[12] Zhang, L., Zhang, D., & Wang, L. (2010). Live digital forensics in a virtual machine. ICCASM 2010 - 2010 International Conference on Computer Application and System Modeling, Proceedings, 4(Iccasm), 328–332. https://doi.org/10.1109/ICCASM.2010.5620364
[13] Simon, M., Slay, J., (2010). Recovery of Skype Application Activity Data from Physical Memory, 2010 International Conference on Availability, Reliability and Security, p: 284-288s.
[14] Okolica, J., & Peterson, G. L. (2010). Windows operating systems agnostic memory analysis. Digital investigation, 7, S48-S56.
[15] Sitaraman, S. (2006). Computer and Network Forensics. Digital Crime and Forensic Science in Cyberspace. Hershey: Idea Group Inc. pp. 55-74.
[16] Stüttgen, J., Vömel, S., & Denzel, M. (2015). Acquisition and analysis of compromised firmware using memory forensics. Digital Investigation, 12, S50–S60.
[17] Li, S., Jia, X., Lv, S., & Shao, Z. (2010). Research and application of USB filter driver based on windows kernel. 3rd International Symposium on Intelligent Information Technology and Security Informatics, IITSI 2010, 438–441. https://doi.org/10.1109/IITSI.2010.10
[18] Matousek, T., & Jezek, P. (2009). DeSpec: Modeling the Windows Driver Environment. Electronic Notes in Theoretical Computer Science, 203(7), 55–69. https://doi.org/10.1016/j.entcs.2009.03.026
[19] Liwei, W. (2007). The Development of Device Driver under the Windows Operation System [J]. Computer & Digital Engineering, 3, 066.
[20] Ni, T., Yin, Z., Wei, Q., & Wang, Q. (2012, November). High-Coverage Security Testing for Windows Kernel Drivers. In Multimedia Information Networking and Security (MINES), 2012 Fourth International Conference on (pp. 905-908). IEEE.
[21] Van Baar, R. B., Alink, W., & van Ballegooij, A. R. (2008). Forensic memory analysis: Files mapped in memory. Digital Investigation, 5(SUPPL.), 52–57. https://doi.org/10.1016/j.diin.2008.05.014
[22] Okolica, J. S., & Peterson, G. L. (2011). Windows driver memory analysis: A reverse engineering methodology. Computers & Security, 30(8), 770-779.
[23] Matousek, T., & Jezek, P. (2009). DeSpec: Modeling the Windows Driver Environment. Electronic Notes in Theoretical Computer Science, 203(7), 55–69. https://doi.org/10.1016/j.entcs.2009.03.026
[24] Vömel, S., & Freiling, F. C. (2011). A survey of main memory acquisition and analysis techniques for the windows operating system. Digital Investigation, 8(1), 3–22. https://doi.org/10.1016/j.diin.2011.06.002
[25] Vömel, S., & Stuttgen, J. (2013). An evaluation platform for forensic memory acquisition software. Digital Investigation, 10(SUPPL.), 30–40. https://doi.org/10.1016/j.diin.2013.06.004