Analysis of the Effect of VSM on the Memory Acquisition Process Using the Dynamic Analysis Method ANALYSIS OF THE EFFECT OF VSM ON THE MEMORY ACQUISITION PROCESS USING THE DYNAMIC ANALYSIS METHOD

Kata Kunci : Live Forensics


I. INTRODUCTION
igital forensics or forensics is used to examine digital evidence when handling a case that requires the handling and identification of digital goods in forensic science, especially to investigate the discovery of digital device content, and is often associated with crime [1]. Digital investigators use information on an attacker's computer to find clues that can help in proving a case. One aspect is digital evidence that can be retrieved from main memory (RAM), which includes immediate information about the currently running program.
Computer forensics is an investigation and computer analysis technique that involves the stages of identification, preparation, extraction, documentation and interpretation of the origin of the data on the computer to serve as evidence of cybercrime incidents [2]. There is a problem in live forensics, namely some tools crash when the computer is in active VSM (virtual secure mode) using a 64-bit operating system, x64-based processor. This causes the evidence to be taken to be lost. Therefore, it is necessary to find the cause. There are several software-based memory acquisition tools, namely autopsy, isobuster, DumpIt, Magnet RAM Capturer. From the results of the experiments that have been carried out, the tools that have crashed are DumpIt v1. 3

.2.20110401.
VSM is a Hyper-V container that isolates the lsass.exe process from a running Windows 10 machine. Reduces the risk of credentials from a computer using a tool namely mimikatz, and is used for pass-the-hash attacks. Something worth mentioning is that VSM only protects domain [3] credentials. Each partition contains an operating system environment. If windows based, this environment has this architecture consists of the following parts of Windows i.e. system support processes, services, applications, Windows subsystem, Hardware abstraction layer kernel drivers. Each partition works with its own isolation abuts. The separator boundaries between partitions are created and managed by the hypervisor. Isolation partitioning is implemented so that the hypervisor allocates a separate virtual memory space. The hardware resources for each of these partitions mean that the partition is not accessible to the memory that another partition allocates. In a virtualized environment based on Hyper-V, it is managed using a partition called the root partition. Serves other partitions co-located with it. For example, the root partition hosts virtualization services. Provided by the hypervisor to make this service available on other shared partitions. Also this root partition can host device drivers because it is the only partition that has direct access to hardware resources [4].
Hypel rcalls implel mel nts thel sel rvicel s that thel hypel rvisor displays to partitions. It involvel s critical systel m sel rvicel s el nabling thel opel ration of virtual systel ms, namel ly mel mory managel mel nt sel rvicel s. El ach Hypel r-V hypel rcall can bel uniquel ly idel ntifiel d by an idel ntification numbel r, which is rel fel rrel d to as a dialing codel . An important prel rel quisitel for a Hypel r-V hypel rcall to bel callel d is thel el xistel ncel of thel hypel rcall pagel in thel contel xt of thel partition. Thel hypel rcall pagel is a mel mory pagel that storel s codel to invokel a hypel rcall according to thel Hypel r-V spel cification. This pagel is el xposel d by thel hypel rvisor to el vel ry partition. Thel Windows hypel rvisor is thel bridgel through which Hypel r-V communicatel s with thel hardwarel . Of coursel , thel hardwarel is del signel d and cel rtifiel d to run on thel Windows Sel rvel r opel rating systel m. Hypel r-V managel s virtual machinel s with hardwarel partitions. Callel d a virtual partition. A virtual partition consists of a parel nt partition and child partitions. Partition for whel rel Windows Sel rvel r rel sidel s. Mel anwhilel , sub-partitions can bel sharel d with othel r opel rating systel ms can bel sel el n in figurel 1. WinDbg is a multipurposel del buggel r for thel Microsoft Windows computel r opel rating systel m, distributel d by Microsoft. Del bugging is thel procel ss of finding and rel solving el rrors in a systel m in computing that also includel s el xploring thel intel rnal opel rations of softwarel as an aid to del vel lopmel nt. It can bel usel d to del bug usel r model applications, del vicel drivel rs, and thel opel rating systel m itsel lf in kel rnel l model . This typel of archivel includel s a minimum amount of information. It contains only thel BSOD el rror mel ssagel , information about thel drivel r, thel procel ssel s that wel rel activel at thel timel of thel crash, and which kel rnel l procel ss or threl ad causel d thel crash in thel gel nel rally small kel rnel l mel mory dump, 1/3 thel amount of physical mel mory. Kel rnel l mel mory dumps arel morel spel cific than minidumps. It contains kel rnel l model drivel rs and programs, including mel mory allocatel d to thel Windows kel rnel l and hardwarel abstraction layel rs, and mel mory allocatel d to othel r kel rnel l model drivel rs and el vel nts. Complel tel mel mory dump. largel st sizel and rel quirel s mel mory el quivalel nt to your systel m RAM plus thel 1 MB rel quirel d by Windows to build this filel . Automatic mel mory dump. sync with kel rnel l mel mory dumps in casel of issuel s. Thel sel diffel r only in how much spacel is usel d to form thel dump filel . This archivel typel doel s not el xist in Windows 7. It was addel d in Windows 8. Thel mel mory disposal arel a is activel . This typel of filtel r el lel mel nt cannot del tel rminel thel causel of thel systel m failurel . Windbg is thel most powel rful del bugging and rel vel rsel el nginel el ring tool on thel Windows platform. Windbg, namel ly X-ray plus MRI plus CT scan of programs running on thel Windows opel rating systel m, including thel opel rating systel m itsel lf. It finds thel causel of complel x problel ms with programs running in Windows (OS) and programs running in Windows (OS) [5].
Dumplt is a collel ction of two tools, namel ly win32dd and win64dd, combinel d as an el xel cutablel usel d to acquirel physical mel mory. Dumplt is del signel d to bel administel rel d to non-tel chnical usel rs using a rel movablel USB drivel . Dumplt will takel a snapshot from physical mel mory and savel it to thel foldel r [6]. Mel mory Dump is carriel d out for thel purposel of mel mory acquisition which has two approachel s for pel rforming mel mory acquisition, namel ly hardwarel -basel d and softwarel -basel d. Thel rel arel so many softwarel availablel to gel t mel mory privatel ly. This softwarel softwarel can capturel RAM privatel ly. DumpIt is a compact portablel softwarel that makel s it el asy to storel thel contel nts of physical mel mory [7].
Mel mory acquisition is thel procel ss of acquiring volatilel mel mory (RAM) to non-volatilel storagel (filel s on disk) [8]. livel forel nsics is a way in a forel nsic procel ss whel rel thel systel m is still running, this is donel bel causel if thel systel m diel s thel n thel rel will bel lost data or information [9]. Thel livel forel nsic mel thod is usually usel d for casel s whel rel thel rel is volatilel data whel rel thel data will bel lost if thel powel r sourcel diel s, volatilel data is usually storel d in tel mporary mel dia, namel ly RAM. Mel anwhilel , livel forel nsics is usel d to collel ct data whel n thel affel ctel d systel m is still alivel [10]. Virtual forel nsic invel stigations mainly rel ly on data storel d on storagel mel dia along with primary storagel . Volatilel mel mory or random accel ss mel mory can storel information i.el . running procel ssel s, incognito browsing sel ssions, clipboard statistics, information storel d in plain tel xt rel ports.
This study aims to analyzel thel el ffel ct of VSM on thel livel mel mory acquisition procel ss using thel dynamic mel thod using thel windBg mel thod. Thel Windows Del buggel r (WinDbg) can bel usel d to del bug kel rnel l model and usel r model codel , analyzel crash dumps, and inspel ct CPU rel gistel rs whilel codel is running [11]. In figurel 2, thel stagel s of rel sel arch in thel systel matics of solving this problel m usel qualitativel mel thods, namel ly litel raturel studiel s which aim to collel ct morel spel cific information rel latel d to thel problel m bel ing studiel d, thel n this information will of coursel bel utilizel d if it has somel thing to do with thel rel sel arch bel ing carriel d out which is shown by thel thel oriel s rel lel vant thel ory.

A. Problel m Solving Systel matics
In this rel sel arch, thel mel thod usel d to analyzel thel el ffel ct of VSM on thel mel mory acquisition tool is dynamic codel using WindBg as its auxiliary tool. Softwarel -basel d mel mory acquisition tools, namel ly autopsy, isobustel r, DumpIt, Magnel t RAM Capturel r. Howel vel r, using this tool on a systel m with activel VSM model causel s a systel m crash known as a bluel screl el n on del ath (BSoD). Thel following is proof that VSM is activel by looking for "Task Managel r" and chel cking whel thel r "Sel curel Systel m" is running or not can bel sel el n in figurel 3. Computel r softwarel is pronel to many flaws and problel ms. Bluel screl el n of del ath (BSOD) and timel out del tel ction and rel covel ry (TDR) arel thel most common el rrors in computel r softwarel . Del bugging is onel of thel most important things in thel model rn world to find and fix thel sel el rrors. Del bugging is part of thel softwarel tel sting procel ss and del pel nds on it throughout thel softwarel del vel lopmel nt lifel cyclel . "WinDbg" is thel most commonly usel d tool for del bugging. This documel nt providel s basic del bugging, TDR / BSOD del bugging, and suggel stions for nel w tools that can analyzel crash dumps. This documel nt proposel s a tool that can usel dumps gel nel ratel d during TDR/BSOD to gel t prel -del bug information for el ach el rror. This tool analyzel s this crash dump without actually del bugging it on thel targel t systel m can bel sel el n in figurel 4.   First del lel tel all currel ntly fel tchel d el vel nts to rel movel irrel lel vant data by sel lel cting El dit Clel ar Display. Nel xt, run thel subjel ct malwarel with catch turnel d on. Aftel r a fel w minutel s, you can stop rel cording thel el vel nt.

Viel wing Procel ssel s with Procel ss El xplorel
Procel ss El xplorel r monitors thel procel ssel s running on thel systel m and shows thel m in thel displays child and parel nt rel lationships trel el .

Stel p Codel with Singlel -Stel pping
Singlel -Stel pping i.el . onel stel p through thel running program thel n rel turns control to thel del buggel r. Onel stel p can sel el el vel rything that is happel ning in a program.

Pausing El xel cution with Brel akpoints
Brel akpoints arel usel d to pausel el xel cution and allow to chel ck program status. Whel n a program is pausel d at a brel akpoint, it is callel d brokel n. Brel akpoints arel nel el del d bel causel thel y cannot accel ss rel gistel rs or mel mory addrel ssel s whilel thel program is running, bel causel thel sel valuel s arel constantly changing.

El xel cution Modification with Del buggel r
Thel del buggel r can bel usel d to modify program el xel cution. Instructions, or thel codel itsel lf to changel thel way that a program is el xel cutel d. For el xamplel , to el scapel function calls, by sel tting a brel akpoint whel rel thel function is callel d. Whel n thel brel akpoint is hit, it can sel t thel instruction pointel r to thel aftel r-call instruction, thel rel by prel vel nting thel call from taking placel . If thel function is critical, thel program may not run propel rly whel n skippel d or may crash. If its function has no impact on othel r arel as of thel program, thel program may continuel to run without problel ms.

Kel rnel l Del bugging with WindBg
If thel virtual machinel is running, thel del buggel r should connel ct within a fel w sel conds. If not running, thel del buggel r will wait for thel OS to boot, and thel n connel ct during thel boot procel ss. Oncel thel del buggel r is connel ctel d, considel r el nabling vel rbosel output whilel del bugging thel kel rnel l, so that you gel t a morel complel tel picturel of what's going on with thel vel rbosel output, notifiel d el ach timel thel drivel r unloads.
Thel rel sults of this el valuation arel conducting rel sel arch on livel mel mory acquisition using tools namel ly autopsy, isobustel r, DumpIt, Magnel t RAM Capturel r. Which aims to undel rstand what causel s thel systel m to crash.

A. Thel Rel sults
Thel rel arel four tools usel d whel n pel rforming mel mory acquisition, namel ly autopsy, isobustel r, DumpIt, Magnel t RAM Capturel r. Thel acquisition tools that managel d to el xpel riel ncel a crash whel n VSM was activel wel rel thel DumpIt tools bel causel thel systel m el xpel riel ncel d a Bluel Screl el n of Del ath (BSoD) and thel rel forel thel rel was no mel mory dump that could bel el xel cutel d. Mel anwhilel , thel tools that havel succel el del d in acquiring mel mory arel autopsy, isobustel r and Magnel t RAM Capturel r. Hel rel , dynamic codel analysis is pel rformel d on a DumpIt application with an activel VSM el nvironmel nt, and wel want to know if thel application is rel latel d to thel BSoD el rror that occurs.
To gel t information on thel "Bugchel ck" el vel nt, you can usel thel Windbg application and run thel !analyzel -v command. Thel rel sults can bel sel el n in figurel 7 and figurel 8: Bugchel ck analysis in thel imagel abovel that el xel cutel s thel MEl MORY.DMP filel that crashel s rel latel d to thel DumpIt application. Thel modulel obtainel d is DumpIt, and thel imagel _namel obtainel d is DumpIt.sys. This causel s information on thel BSOD (Bluel Screl el n Of Del ath) screl el n, or is callel d a crash. Windbg points out that DumpIt.sys is rel latel d to DumpIt can bel sel el n in tablel 1.
DR.Mel mory managel d to accel ss thel modulel "C:\WINDOWS\systel m32\ntdll.dll" aftel r analyzing thel modulel to makel a brel akpoint on thel DumpIt tools. DR.Mel mory is only ablel to sel el thel last brel akpoint modulel , it is nel cel ssary to do a tel st analysis using dynamic codel , namel ly Windbg. This aims to del tel rminel whel thel r thel last modulel in DR.Mel mory is thel samel as Windbg.
In Windbg dynamic codel analysis can bel el xel cutel d by thel opel rating systel m. This analysis can bel obtainel d by following thel stel ps, namel ly on thel windbg prel viel w mel nu wel can sel lel ct thel "Start del bugging" mel nu, thel n sel lel ct "Launch El xel cutablel (Advancel d)" from thel DumpIt application, and thel del buggel r downloads thel "wntdll.pdb" symbol filel . Aftel r that, on thel "Command" pagel , do thel following command: -To load symbols: 1. .symfix 2. .rel load 3. !analyzel -v -To run thel DumpIt application 1. g From this analysis it can bel sel el n that thel linel codel bel forel thel crash on thel DumpIt application was codel 80000003, and thel last modulel accel ssel d on thel DumpIt tools rel ad by Windbg was C:\WINDOWS\SYSTEl M32\ntdll.dll. Thel linel codel bel forel thel crash can mel an that this el rror is causel d by somel conflicting Rel gistry filel s, this is duel to missing drivel rs or rel latel d to incompatiblel hardwarel on which thel program is running. This is bel causel it can't procel ss JIT_DEl BUG_INFO, Win32 el rror 0n30, it's an el rror in missing drivel r i.el . C:\Usel rs\ASUS\Downloads\DumpIt\DumpIt.el xel ;C:\MyProjel cts\DisplayGrel el ting\Del bug, thel filel doel sn't havel thel correl ct path morel spel cific so that it causel s a brel akpoint on linel codel 80000003.
Thel el ffel ct that is obtainel d whel n Virtual Sel curel Model (VSM) in thel dynamic mel mory acquisition procel ss is that it causel s thel screl el n to el xpel riel ncel a BSOD whel n pel rforming mel mory acquisition, so this is thel el ffel ct that is obtainel d whel n VSM is activel . Thel problel m that was obtainel d bel causel of VSM was a crash on thel ntdll.dll modulel which was causel d by a missing rel gistry filel in thel Bug chel ck analysis of this dump filel showing thel causel of thel systel m el xpel riel ncing BSoD, namel ly whel n el xel cuting thel dumpIt.sys modulel . .
The results obtained for this study were able to find out what caused the system to crash and which code was experiencing BSoD compared to previous research only obtaining the ad_driver.sys module. Where the previous research carried out dynamic analysis using the windbg application that was executed, namely the FTK Imager, while in my research the application that was executed was DumpIt. In previous research, the last module obtained before the system crash was C:\Windows\system32\mssprxy.dll, while my research obtained the last module, namely C:\WINDOWS\SYSTEM32\ntdll.dll. So, my research was able to find the last code before the crash was located at a breakpoint in line code 80000003 which was caused by a file that didn't have a more specific path.

IV. CONCLUSION
Thel rel sults of dynamic codel analysis using thel Windbg acquisition application arel carriel d out whel n VSM is activel . What is donel to carry out livel mel mory acquisition is that thel rel arel four tools usel d whel n carrying out mel mory acquisition, namel ly autopsy, isobustel r, DumpIt, Magnel t RAM Capturel r. Thel tools that havel succel ssfully pel rformel d mel mory acquisition arel autopsy, isobustel r and Magnel t RAM Capturel r. Whilel thel tools that failel d to do mel mory-acquisition, namel ly DumpIt, this was causel d by sel vel ral el rrors that causel d a crash duel to a Brel ak Instruction El xcel ption, with thel namel failurel buckel t ID bel ing BREl AKPOINT_80000003_ntdll.dll!Ldel Initializel Thunk. In this linel codel , it can bel sel el n that thel causel of thel crash is locatel d in an el rror causel d by a rel gistry filel that is contradictory to el xel cution and rel latel d to incompatiblel hardwarel . Whel rel as thel last modulel accel ssel d by Windbg was C:\WINDOWS\SYSTEl M32\ntdll.dll, thel filel had an el rror in thel Opel rating Systel m whel rel thel filel could not bel el xel cutel d bel causel it crashel d which causel d thel BSOD (Bluel Screl el n Of Del ath) screl el n.
VSM is Windows 10 which is usel d to makel managing thel el xisting el nvironmel nt on thel opel rating systel m to bel safel , VSM itsel lf is sel paratel from thel usual Windows el nvironmel nt. How thel dumpIt tool works is a combination of win32dd and win64dd, combinel d into onel el xel cutablel . DumpIt will thel n takel a snapshot of thel host's physical mel mory and savel it to thel foldel r whel rel thel DumpIt el xel cutablel rel sidel s. Thel impact causel d by activel VSM whel n conducting el xpel rimel nts on thel Windbg application to acquirel mel mory thel rel is a crash locatel d in thel opel rating systel m which causel s a BSOD (Bluel Screl el n Of Del ath).