Acquisiting Text Documents Opened by Notepad from Windows7 RAM Image

Transcription

1 Journal of Computational Information Systems 10: 16 (2014) Available at Acquisiting Text Documents Opened by Notepad from Windows7 RAM Image Tao XIAO, Ming XU, Jian XU, Yizhi REN, Haiping ZHANG, Ting WU, Ning ZHENG College of Computer, Hangzhou Dianzi University, Hangzhou , China Abstract The text documents opened by Notepad are important forensic objects in MS Windows memory forensic field, because the Notepad is a widely used text editing program bind with the Windows system. This paper proposed a method for recovering text documents from windows7 memory image based on reconstructed process space for Notedpad. Firstly the Notepad s Eprocess is located in Windows7 memory image. Then using the items in the Eprocess, such as Pcb, Peb, and VadRoot, to reconstruct Notepad s memory space. At last, the text documents opened by Notepad could be recovered from the Notepad s memory space. The results of experiment show that the proposed method can successfully get the physical locations of the system Eprocess, and recover text documents opened by Notepad from windows7 memory image. Keywords: Memory Forensics; Eprocess; Windows 7; VAD; Notepad 1 Introduction Memory Forensics is a novel and fast growing field in computer forensics, providing access to volatile information unavailable from disk image. In prior, Computer forensics analysis mainly means file system forensics, but there are some information we can not acquire from disk image, such as the running processes, the opening ports, the loading modules and so on. As the antiforensics developed, memory forensics was commenced when malware writers began reducing their footprints on the victim s hard disk and storing crucial information within the machine s memory [1]. Current researches have shown that extracting useful message, such as the mapped files, the opened network connection and so on, from memory is possible [2]. Physical Address Extension (PAE) is a feature to allow 32-bit x86 central processing units (CPUs) to access a physical address space (including random access memory and memory mapped devices) larger than 4 GB. This paper focuses on the MS Windows7 SP1 which not uses the PAE mechanism. But our method will also apply to the computer which uses the PAE mechanism just make a little change in the phase of address translation. This paper uses the relations between windows7 kernel Corresponding author. address: mxu@hdu.edu.cn (Ming XU) / Copyright 2014 Binary Information Press DOI: /jcis11511 August 15, 2014

2 7118 T. Xiao et al. /Journal of Computational Information Systems 10: 16 (2014) objects to reconstruct Notepad process space from Windows7 memory image, and then recovery text documents based on the recovered Notepad process space. Because Notepad is a windows bundled program, it always be used the as a plain text edit program to take some short note and simple information, Such as take notes, and record a telephone number. As we all know, the running progress data must be loaded into memory, so the text documents opened by Notepad could be found in the memory image. Notepad is a plain text editor so it is different from other composite document editor programs such as the Microsoft office word and Portable Document Format (PDF). This characteristic can be used to simplify the recovery procedure. The reminder of this paper is organized as follows. Section 2 provides background information and introduces related works briefly. Section 3 describes the related data structures about reconstructing Notepad.exe process space. Section 4 proposes the method to recovery the text documents from memory image. Section 5 gives the results of experiments. Finally the summary section is in the last section. 2 Related Work In 2004, Brain D. Carrier and Joe Grand discussed the possibility of reliably and accurately extracting evidence from the volatile memory. But, before 2005, memory forensic mainly use the command, like strings, to extract evidences from the memory image, such as password, IP address, and -address so on. In 2005, Digital Forensics Research Workshop (DFRWS) organized a challenge about Windows 2000 memory forensics in order to motivate discourse, research and tool development in memory forensics field [3]. In 2006, AArron Walters developed a Forensic Analysis Toolkit (FATKit) which is a new cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory [4]. In the paper published by Andreas Schuster puts forward a systematic method to list the system processes and threads from running Windows [5]. PTfinder (Andreas Schuster 2006) is a Perl project which can list the processes and threads in the running system also. Volatility Framework implemented in Python under the GNU General Public License is a completely open collection of tools developed by a workshop directed by Aaron Walters, for the extraction of digital artifacts from volatile memory (RAM) samples [6]. Meanwhile, Forensic analysis of the Windows registry in memory (Brendan Dolan-Gavitt, 2008) describes how to extract the registry structure directly from memory by Memory Forensics technology [7]. Because the traditional methods can not locate the Eprocess accurately, Lihai Wang put forward a new method based on KPCR to solve the problem. The method to locate Eprocess based on Kpcr use the PsActieveProcess to traverse the Eprocess list. Jesse D. Kornblum takes the data which has swap to disk into account in the forensic phase. Brendan Dolan-Gavitt researched the VAD tree and uses it to traverse the process virtual memory space [8]. In 2010 Yuhang Gao did a Forensics for QQ from a Live System and acquired the contact list, the QQ account, the chats records, the QQ discussion group, the display names, and the contents of network Notepad [9]. Some researchers use relationship between system kernel object and the file carving technology to try recovering the documents form memory image. R.B. van Baar described a method for recovering files mapped in memory and linking mapped-file information process data. But a whole method for a specific program did not have proposed in detail. We will show a method to recover text documents from Windows memory image.

3 T. Xiao et al. /Journal of Computational Information Systems 10: 16 (2014) Related Windows Kernel Data Structures Fig. 1: The relationship of kernel data structures Fig. 2: The recovery procedure 3.1 Eprocess and VAD The Eprocess structure is an opaque structure that serves as the process object for a process. Eprocess is the only one kernel structure that can represent a new process. It not only has many attributes describe the process s state but also has many handles which point to other important internal structures. For example, The UniqueProcessId is actually PID which is the identification of every progress. InheritedFromUniqueProcessId is the progress s parent process PID. ImageFileName and other items in Eprocess are also import for examiners. Pcb point to the Kprocess, the ptr32 Peb point to the Peb. The Eprocess object plays an import role in Windows scheduling and resource allocation. Process scheduling is necessary because Windows based system is a multi-task operating system. Resource allocation is also significant for any process run on the system. We can use the windbg tool, which was the component of Debugging Tools for Windows, or the livekd.exe to debug the target machine, and then we can acquire the Eprocess structure of the forensic machine. Especially the item of ActiveProcessLinks makes all Eprocess link together as a double link list. The system kernel object PsActiveProcessHead is point to the double link list s head. So we can traverse it by the PsActiveProcessHead or other Eprocess node. The windows memory manager module use Virtual Address Descriptor (VAD) tree to describe memory range of a process. When a process use the windows API function VirtualAlloc to allocate memory, the memory manager will create an entry in the VAD tree. The corresponding page directory and page table will be created as soon as the process tries to reference that memory page. This mechanism can provide significant memory saving for processes that allocate a large amount of memory but access it sparsely. The VAD tree is a self-balance binary tree: at any given node, memory addresses lower than those contained at the current node can be found in

4 7120 T. Xiao et al. /Journal of Computational Information Systems 10: 16 (2014) the left sub tree and higher ranges in the right sub tree. The VAD structure is not specially documented by Microsoft. However, it is discussed by some researchers for it is important for the kernel fancier. Brendan Dolan-Gavitt give a brief description about the three types of the VAD nodes. But he does not tell that VadRoot in the Eprocess is not the real root of the AVL tree. 3.2 The relationship between the kernel object Windows kernel object links to each other by pointers, some kernel objects are part of others. The Fig. 1 shows the Eprocess structure and its related structure in the 32-bit Windows7 system. This relationship between the kernel object can be detected by debugging the system with the tool windbg. Such as the item of Pcb is a KPROCESS structure, the Peb item is a 32 pointer and point to a PEB structure. Other version system relationship can also acquire by debug the target machine. At last we find that the entire kernel are stored in the high 2GB virtually address space and the low 2GB space is used for use space. 4 Recovering Text Approach Examiners are faced with mess data as the physical memory is big and unordered. Windows based systems all implement the virtual memory management mechanism. Each process has an individual process address space of 4GB. This mechanism guarantees each process can not be disturbed by others. In fact, the whole process space contains everything that the examiners interest such as the Directory Table Base (DTB), the handle point to the load module list, process s data and so on. Examiners can acquire some information by reconstructing the whole process space. Our approach to recovery text document from memory is based on reconstructing the Notepad memory space by windows memory forensic technology. The Fig. 2 describes the procedure to recovering txt. From the procedure we can know the input is just a windows7 RAM image and the output is the text documents opened by Notepad. MoonSols DumpIt is a fusion of win32dd and win64dd in one executable. No option is asked to the end-user only double click on the executable is enough to generate a copy of the physical memory in the current directory and the dump image is a raw format. So, firstly examiners can use the MoonSols DumpIt tool to dump the memory image from the target running machine. As the image is raw format we can also use the windbg to debug this dump image. Then uses methods describe in the next the Eprocess structure of Notepad progress can location successfully. The item VadRoot in the Eprocess is a ptr32 pointer which point to a MMAVL TABLE structure. The first item of the MMAVL TABLE is MMADDRESS NODE which is the component of MMVAD and the two of them can transform easily. All the MMVAD node makes up a VAD tree. In MMVAD the items of the StartingVPN and the EndingVPN tell us the virtual address space. The virtual space is start in (StartingVPN*0x18) and end with (EndingVPN*0x18+0xfff). So use the address translation examiners can get the physical address space. The InloadOrderModuleList is the item of PEB LDR DATA. So the all module loaded could be acquired by traversing the link list which head point by InloadOrderModuleList. Then the space that used by the loaded can be get and the left space is used for stack section or data section. Just as Fig. 2 describe the main process is to create the VAD tree about Notepad, the information of the VAD node is used to identify the memory space of the progress forensics.

5 T. Xiao et al. /Journal of Computational Information Systems 10: 16 (2014) Address translation In the period of image analysis the operation of addresses is frequent, but these addresses are virtual address. Windows uses virtual addresses to abstract the memory storage system from the rest of the operating system and other programs. The operating system presents each program with a large private virtual address space. The Windows system will translates the virtual address into a physical address when a program references a virtual address. Windows use the virtual memory mechanism, so the data that the process request in the runtime could be in main memory or on the disk. This paper did not take the data in the disk into account, if you want take this part data into account, you can use the FTK Imager tool to get the memory image which can get the swap out data in the disk [11]. The virtual address is split into three main sections including page directory index, page table index and byte index. Address translation is generally a three stage procedure. Every process on a Windows system maintains a DirectoyTableBase variable. On an x86 systems this value is stored in the CR3 register when the process is running. This value contains the base address of the table of Page Directory Entries (PDES) for that process. The page directory index is used to locate the PDE address. The PDE is used to locate the base address of a page of Page Table Entries (PTEs). Combination with the page table index examiners can get the PTE. The physical address can easy get by combination PTE and byte index. As shown in the Fig. 3, the virtual address is the 32 bit the system used; pde value is the content which pointed by the PDE; same as it, pte value is the value which pointed by the PDE; physical address is the address which really in the windows physical memory. 4.2 Find eprocess Windows system will create an Eprocess as soon as get the user s running program request. So the Eprocess is the only one structure can stand for a program. The method this paper proposed must locate the Notepad Eprocess. Then use the information of Eprocess and the relationship between the kernel objects to reconstruct the address space. There are two methods can be used to location the Eprocess. First, as we all know, every windows kernel object has an object header and the Eprocess has a header too. We use the debug tool windbg s dt command to debug the structure of Eprocess. Then we find that the Eprocess s head is a DISPATCHER HEADER. The magic number of the DISPATCHER HEADER is 0x and ExitStatus of an Eprocess is always 0x So use this rule can location the Eprocess successfully. The item ActiveProcessLinks in the Eprocess links all Eprocesses into a double linked list, so the Eprocess double link list can acquire by the KPCR. 4.3 Traverse VAD tree As the Fig. 4 shown we can get the VADRoot when the Eprocess has been located successfully. Then use the address translation function to calculate the physical address and go to the physical offset pointed by VADRoot. After great number of the experiments, it is show that the VADRoot not point the VAD tree s root, because the item LeftChild of the node pointed by VADRoot was always NULL. And we discovered that the item RightChild of the node pointed by VADRoot point to the root of VAD tree. So the VADRoot does not point to the VAD tree root node just

6 7122 T. Xiao et al. /Journal of Computational Information Systems 10: 16 (2014) point to the head of the VAD tree where some flag of VAD tree stored. Corresponding the items LeftChild, RightChild, StartingVpn, EndingVpn would get. Once the LeftChild and RightChild acquired and their value is not null traversing the child tree recursively. After go through the VAD tree we can get virtual space the progress used. CR3 Page Directory index Page Table Index Byte Index Physical Address 0X84c53e63(VADRoot) 0x x NULL 0X84c49e50 0x760b0000-0x76183fff Page Directory Entry Page Table Entry 0X848c4260 0x00a x0163ffff 0x84c511f8 0x x76578fff 0x84c1ad30(data section) 0x002d0000-0x003cffff 0X848c4260(NotePad.exe) 0x00a x00a3ffff Fig. 3: Address translating Fig. 4: Portion of VAD tree 4.4 Reconstructing notepad process space Once the VAD tree has been established, we can use the tool vadinfo.py to display the info of each VAD node. The loaded model is linked as a double linked list and it was pointed by InLoadOrderModuleList. So the VAD node which has been used by the system can know. After a serious experiment we find that the progress Notepad s data section always managed by the VAD node which flag is PAGE READWRITE and the data is always in the biggest one. So combination the two features the text document could be acquired and recovered. One thing need pay attention to is data in windows memory use Unicode encoding while it use ANSI in disk image. 5 Evaluating Experiments Several experiments were performed to testing the effect of the method proposed by this paper. It proved that acquiring some text document from the memory is possible. We can get all the system Eprocess physical location and use the Eprocess we can refactoring the progress memory space and do some recovery or forensics. At last the text document has been recovered from the memory image successfully. 5.1 Find norepad.exe eprocess and traverse the VAD tree Locating the Eprocess physical address is the most important step in our method. Use the method mentioned above the Notepad.exe s Eprocess is found successfully. The target windows7

7 T. Xiao et al. /Journal of Computational Information Systems 10: 16 (2014) machine use little-endian pattern. As Fig. 5 shown, the physical address of the Notepad.exe is 0x3E453BE8. The Flink is 0x84A938F0 which point to next Eprocess. The DTB is 0x1D4EC000 and the PID is 0x000007C0. The Fig. 5 shows that the Notepad.exe Eprocess has been found successfully. From the Eprocess we can get the VADRoot is 0x84C53E630. After address translation we can get the physical address is 0x3E453E60. Then we could get the VAD tree s root virtual address is 0X84C99E50. Then the VAD tree s root node could establish. Then set up the VAD tree recursively. Then result is shown in Fig. 6. The location mean the VAD node virtual address, start vpn mean the start of the virtual page number and end vpn mean the end of the virtual page number. So the virtual address space could get. Meanwhile we must calculate every page s address space. It means that the address continue in virtual address space does not continue in physical address. Fig. 5: Acquiring the Eprocess of Notepad.exe Fig. 6: Acquiring the Notepad.exe VAD tree node 5.2 Text document recovery In this paper we create a text document and edit it by Notepad. Then we dump the memory image and try to recover the text document. At last, classified the node is needed because the high 2GB address space is system address space. So the text document is in the low 2GB address for it is user data. It means the VAD node whose start vpn greater than 0x is not eligible. At last we find that the node start with 0x2D0 and end with 0x3CF is the first eligible node. In some paper the think that the physical address space is continuous, but after a serious experiment we find that the address translation must one by one. The recovery result is show in Fig. 7 and as space limited not all the content has shown and Fig. 8 show the txt document opened by Notepad. Compared with other memory forensics tools, such as Encase and Volatility, the proposed method can acquire process data directly and accuracy. 6 Conclusion In this paper, we proposed a method to acquire the text document from the memory. As shown, it is possible to reconstruct progress memory space by using the VAD tree and then recover some

8 7124 T. Xiao et al. /Journal of Computational Information Systems 10: 16 (2014) Fig. 7: The result of the recovered text document Fig. 8: The txt opened by notepad data from the image memory. Recover text document form memory is a good example for the Windows Memory Forensics technology applies. Meanwhile if the disassembly technologies can combine with the Windows Memory Forensics technology more information will be found soon. The method put forward in this paper can also be used to reconstruct other process s memory space, so it can also find other sensitive information in the memory image. Such as the record of web surfing, the opening program, the loaded model and so on. Acknowledgement This work is supported by the Natural Science Foundation Natural Science Foundation of China under Grant No , the Zhejiang Province key industrial projects in the priority themes of China under Grant No. 2010C11050, the Zhejiang Province Natural Science Foundation of China under Grant No. LY12F02006, the science and technology search planned projects of Zhejiang Province under Grant No. 2012C21040, the soft science research project of Hangzhou under Grant No M15. References [1] Stefan Vomel, Johannes Stttgen, An evaluation platform for forensic memory acquisition software. Digital Investigation, : p. S30-S40. [2] Stefan Vomel, Freiling F C. Correctness, atomicity, and integrity: Defining criteria for forensicallysound memory acquisition. Digital Investigation, (2): p [3] Challenge, D.F., [4] Petroni Jr N L, Walters A A, Fraser T, et al. FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory [J]. Digital Investigation, 2006, 3(4): [5] Schuster, A., Searching for processes and threads in Microsoft Windows memory dumps. digital investigation, : p [6] Framework, T.V., [7] Dolan-Gavitt, B., Forensic analysis of the Windows registry in memory. Digital Investigation, : p. S26-S32. [8] Dolan-Gavitt, B., The VAD tree: A process-eye view of physical memory. Digital Investigation, : p [9] Gao, Y. and T. Cao, Memory forensics for qq from a live system. Journal of Computers, (4): p [10] Zhang, S., et al. Exploratory study on memory analysis of windows 7 operating system [11] Kornblum, J.D., Using every part of the buffalo in Windows memory analysis. Digital Investigation, (1): p