Development of Kernel Mode RAM Driver for RAM Image on Windows

• Main Authors: Ahmet Ali SuZEN, Kubilay TASDELEN, Ecir Ugur KUCUKSILLE
• Format: Article
• Language: English
• Published: Suleyman Demirel University 2019-08-01
• Series: Süleyman Demirel Üniversitesi Fen Bilimleri Enstitüsü Dergisi
• Online Access: http://dergipark.org.tr/tr/download/article-file/784774

In the field of computer forensics live analysis through immediate intervention is an important way of gathering electronic evidence. The way to obtain evidence from volatile data using live analysis is to take an image of the RAM (Random Access Memory). The entire RAM has to be copied in order to import data from this image. However, since the user mode is the default mode in Windows operating systems only the running processes can be accessed. Therefore, RAM imaging software needs to work at Kernel Mode level. In this study, a RAM driver was developed using WDK (Window Driver Kit) to enable RAM imaging software to run in Kernel Mode. The developed driver works on Windows 8, 8.1 and 10 (32 bit and 64 bit) operating systems. Virtual addresses, physical addresses and table pages for RAM can be accessed using the developed RAM driver. In this way, image acquisition software using this driver is able to carry out bit-to-bit copying of RAM. In addition, a program to import a RAM image in c ++ using this driver has also been developed. When the image retrieval software is installed in RAM it occupies a meager 156 KB of space. Compared to the existing image acquisition software, the developed RAM driver and software seem to use the least RAM. In addition, there are no examples of Kernel Mode RAM Drivers developed using WDK in the literature.