Static Code Analysis on The Effect of Virtual Secure Mode on Memory Acquisition with IDA

Authors

  • Nadja Adryana Student
  • Niken Dwi Wahyu Cahyani
  • Erwid Musthofa Jadied

DOI:

https://doi.org/10.21108/ijoict.v9i1.688

Keywords:

digital forensic, static analysis, virtual secure mode, memory acquisition tools

Abstract

Memory acquisition process is one of digital forensics act. There are several tools that support memory acquisition process. At this time, there is a feature named secure mode that can caused crash or error in memory acquisition tools system and caused the tools to be unusable, also the loss of the computer memory. This research is focusing on analyzing the acquisition tools that has error or crash when the device that is being used for memory acquisition is in secure mode. The analysis is being carried out using static code analysis method, which is one of the techniques of reverse engineering, using IDA. This study aims to find the cause of the crash or error in memory acquisition tools. The purpose of this study is to be useful for digital forensic tester in understanding the potential risk of the secure mode impact in acquisition process. The results of this study indicate that different operating system and different kernel which runs in the device are the reasons that memory acquisition tools cannot run properly on VSM environment being turned on.

Downloads

Download data is not yet available.

References

[1] M. A. Hamzah, N. D. Cahyani, and E. M. Jadied, “ANALISIS DAN VISUALISASI TEKNIK PENGHAPUSAN DATA PADA MEDIA PENYIMPANAN YANG MEMENUHI KAIDAH FORENSIK DIGITAL,” 2019.
[2] A. Milenkoski and D. Phillips, “Virtual Secure Mode: Architecture Overview.,” hal-03117358, 2019, [Online]. Available: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs
[3] M. Sikorski and A. Honig, PRACTICAL MALWARE ANALYSIS. San Francisco, CA: William Pollock, 2012.
[4] K. M. Stewart, “What is Windows 10 isolated user mode (IUM),” TechTarget, Oct. 31, 2017. https://www.techtarget.com/searchenterprisedesktop/definition/Windows-10-Isolated-User-Mode-IUM (accessed Apr. 29, 2022).
[5] H. K. Brendmo, “Live Forensics on the Windows 10 secure kernel,” Jun. 2017.
[6] H. A. Nugroho and Y. Prayudi, “PENGGUNAAN TEKNIK REVERSE ENGINEERING PADA MALWARE ANALYSIS UNTUK IDENTIFIKASI SERANGAN MALWARE,” 2014, [Online]. Available: www.thehackernews.com
[7] M. Egele, C. Kruegel, E. Kirda, and G. Vigna, “PiOS: Detecting Privacy Leaks in iOS Applications Institute Eurecom, Sophia Antipolis,” Feb. 2011.
[8] M. G. Rekoff and S. Member, “On Reverse Engineering.”
[9] P. Forbrig et al., Combining Static and Dynamic Analysis for the Reverse Engineering of Web Applications.
[10] P. Muntean, M. Fischer, G. Tan, Z. Lin, J. Grossklags, and C. Eckert, “τCFI: Type-assisted control flow integrity for x86-64 binaries,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2018, vol. 11050 LNCS, pp. 423–444. doi: 10.1007/978-3-030-00470-5_20.
[11] The Python Software Foundation, “msvcrt — Useful routines from the MS VC++ runtime,” Python documentation, Jan. 15, 2023. https://docs.python.org/3/library/msvcrt.html (accessed Jan. 16, 2023).
[12] T. Ahmed and S. Xu, “Shellcoding: Hunting for Kernel32 Base Address,” IEEE, 2022, Accessed: Jan. 16, 2023. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/9798057/authors#authors
[13] D. Hintea, R. Bird, and M. Green, “An Investigation into the Forensic Implications of the Windows 10 Operating System: Recoverable Artefacts and Significant Changes from Windows 8.1.”
[14] N. Dwi, W. Cahyani, E. M. Jadied, E. Ariyanto, N. Hidayah, and A. Rahman, “The Influence of Virtual Secure Mode (VSM) on Memory Acquisition.” [Online]. Available: www.ijacsa.thesai.org
[15] Microsoft, “Compare windows 10 editions for business: Microsoft,” Microsoft Windows for Business, 2023, Accessed: Jan. 16, 2023. [Online]. Available: https://www.microsoft.com/en-us/windowsforbusiness/compare
[16] Daniel Todd, “Windows 10 Pro vs Home vs Enterprise: Which is best for your business?,” May 2022, Accessed: Jan. 16, 2023. [Online]. Available: https://www.itpro.co.uk/software/operating-systems/367779/windows-10-pro-vs-home-vs-enterprise-best-for-business

Downloads

Published

2023-06-09

How to Cite

Adryana, N., Cahyani, N., & Jadied, E. (2023). Static Code Analysis on The Effect of Virtual Secure Mode on Memory Acquisition with IDA. International Journal on Information and Communication Technology (IJoICT), 9(1), 1–13. https://doi.org/10.21108/ijoict.v9i1.688

Issue

Vol. 9 No. 1 (2023): June 2023

Section

Security & Cryptography

License

Manuscript submitted to IJoICT has to be an original work of the author(s), contains no element of plagiarism, and has never been published or is not being considered for publication in other journals. Author(s) shall agree to assign all copyright of published article to IJoICT. Requests related to future re-use and re-publication of major or substantial parts of the article must be consulted with the editors of IJoICT.