Comparison between 64-bit Memory Analysis of Windows 7 and Windows 8

Bijay Kumar Ranjit

School of Computing and Security Science
Edith Cowan University
Perth, Western Australia
branjit@our.ecu.edu.au

Abstract
Along with the development of newer version of Microsoft Windows that benefits the vendors as well as the end
user, it brings lots of challenges to the forensic investigator to acquire and analyse the evidence. The main idea
behind the forensic analysis is what, where and how to investigate to achieve the goal of investigation.
This research uses the knowledge of previous versions of Microsoft Windows to analyse and gather the
information from 64-bit Microsoft Windows 8 and compare the results with the results obtained from undertaking
the similar process in 64-bit Microsoft Windows 7. Also, memory dumps of these operating systems are taken in
order to compare the results in similar environment.
Memory structure of the Windows 8 and Windows 7 are analysed by the method based on Kernel Process Control
Structure (KPCR).
The main idea of the Windows operation has not changed from the early release which makes it easy to analyse
Windows machine. The main analysis is done in
Memory management
Running Processes
Windows Registry
Network connections
Cryptanalysis of Bit Locker in Windows 7 and Windows 8

Keywords
Memory Analysis, Bit Locker, Windows Registry, Windows, Process, Memory dump

INTRODUCTION
Apart from string analysis of memory dump to extract password, email addresses and network connections,
memory dump has proven to be very useful area of investigation in computer forensics(Shuhui, Lianhai et al.
2010). The result of memory challenge organized by Digital Forensics Research Workshop (DFRWS) in 2005
grabbed the attention of the computer forensic analyst that it can be very useful to gather the significant artifacts
from memory analysis(DFRWS 2005). Memory analysis is useful yet challenging area of forensic investigation.
Each operating system may consist of different data structure of memory. The analyst may need to investigate
memory dump from different versions of operating system of Windows. But understanding the memory structure
of any version of Windows operating system may significantly help the analyst to analyse the other version of
Windows operating system.
This paper adopts the method based on kernel debug structure and Microsoft program database (PDB) files to
analyse the structure of memory in 64-bit Windows 8. The analysis is made possible from the previous findings
and results from similar investigation on older version of Windows. The main tool used to analyse the memory is
WinDbg which can be obtained from website of Microsoft Development Kit (MDK). The tool requires the
symbol information for different variables in memory which is acquired from online Microsoft symbol server in
order to parse it properly(Microsoft 2013). The similar process of gathering memory information is applied in
Windows 7 and the results from both the operating system are compared.

METHOD OF ANALYSIS MEMORY DUMP FROM WINDOWS 8

Memory Management
The artifacts in the memory dump are not stored as it is seen by the programmer or application. The application
usually interacts with the virtual memory addresses that are mapped sequentially and randomly to physical
addresses. The address translation is maintained by operating system. So, in order to extract the information from
the memory dump the virtual address must be translated to physical address. All these addresses are stored in
control register 3(CR3). To find the relationship between kernel processor control region (KPCR) and CR3, the
analysis was done using kernel debugger in Windbg.
The process to debug local kernel is to open the WinDbg as administrator and from the file menu, select the
kernel Debugger. Then local tab is selected in order to debug the local kernel of Windows 8.
Since the WinDbg works with the symbols from Microsoft PDB server, it is loaded from the Microsoft symbol
locator as follows.
lkd>.sympath srv*c:\temp*http://msdl.microsoft.com/download/symbols
All the symbols for core kernel is located is nt so reload the nt symbols from the server.
lkd>.reload nt
Then rest of process followed as:

Figure 1: Relation between KPCR and CR3 register.

Doubly Linked List in memory structure

In NT-based version of windows operating system, the memory structure in Windows kernel uses a list which
has a SINGLE_LIST_ENTRY or LIST_ENTRY structure(Microsoft 2013). In this structure the list has a head
that also represents the end because it is a circular doubly-linked list. The LINK_LIST can be depicted as in
Figure 1.From this structure of memory all the running processes can be obtained from the memory as they are
doubly linked together. Windows 8 all maintains the doubly linked memory structure.
Figure 2: Data Structure in Doubly Link List(CodeMachine 2013)

Figure 3: Link List structure in 64-bit Windows 8

Windows Registry Analysis

Windows Registry contains one the important information about the windows operating system. There is not a
major change in windows registry. So, the registry can be predicted from the from the previous memory analysis
of Windows operating system. As the running processes are determined by doubly-link list, the registry hives are
structured in the similar way. The main structure of registry can be found in _CMHIVE (Dolan-Gavitt 2008). In
this paper it is viewed using Windbg as depicted in figure below.

Figure 4: Structure of _CMHIVE

The memory address of hive list be found simply by typing

lkd> ?CmpHiveListHead
and following by
lkd> dt nt!_LIST_ENTRY <addr> //<addr>address from previous command

Figure 5: Doubly Link List structure in registry hive list

On detail analysis of registry with different tools and method, Windows 8 registry found to be consists of
following headings:
\REGISTRY\MACHINE\SYSTEM
\REGISTRY\MACHINE\HARDWARE
\.\[Empty header]
\Device\HarddiskVolume1\Boot\BCD
\SystemRoot\System32\Config\SOFTWARE
\SystemRoot\System32\Config\BBI
\Windows\ServiceProfiles\LocalService\NTUSER.DAT
\SystemRoot\System32\Config\SECURITY
\SystemRoot\System32\Config\SAM
\SystemRoot\System32\Config\DEFAULT

There are few minor changes between the registry Subkey of Windows 8 and Windows 7, but the major change
is the addition of new hive BBI in Windows 8.

Running Process
In Windows 8, after the address translation register is located, the running processes can be found by traversing
KPRCB which is at 0x180 from KPCR. Then to find the CurrentThread which is found to be at 0x008 from
KPRCB. Now the next step is to find the relative address of virtual address of KPROCESS in KTHREAD.

Figure 6: detail of KTHREAD

The offset of KPROCESS is found to be 0x220 relative to KTHREAD. All the active processes can be found in
ActiveProcessLinks that can be found from _KPROCESS(Schuster 2006).

Figure 7: Detail of EPROCESS

The ActiveProcessLinks is a _LINK_LIST with is doubly-linked, so traversing this LINK_LIST up to head list
will help to find all the running processes in the memory by translating the virtual address to physical address in
memory dump.
The process list found to be obtained by the similar methods in Windows 8 and Windows 7 but the virtual
address are different. And few modules are found to be missing in Windows 8.

Network connections
The method of analysis of network connection has been changed from Microsoft Windows Vista. In previous
version of Windows such as Windows XP, network connection was determined using AddrObjTable and
ObjTable that are determined using driver tcpip.sys(Lijuan, Lianhai et al.).
To determine the network connection from the memory the structure of TcpEndpointPool need to be determined
from Windows 8. From research it is found out that the structure is similar to Windows 7. The network
connection can be extracted from the singly-linked list. If the offset 0x28 of list is TcpE, it consists of
TcpEndPoint and TCB (TCP Control Block) Structure(Yang, Wang et al. 2013). The TCB structure consists of
the information about the connection
The paper already shows the structure of KPCR to ActiveProcessLinks. Now in order to get all the current
network connection the address of driver TCPIP.SYS has to be located. To do so, first the PDB symbols for the
TCPIP.SYS driver is loaded as:
lkd>.reload tcpip.sys
To find the offset between psLoadedModuleList and psLoadedModuleList

which is found to be 0x33E90 so from the address translation and adding this value to
ActiveProcessHead psLoadedModuleList can be obtained.
The virtual address of TcpEndPointPool can be determined by

Hence adding 0x1ADB18 the virtual address of TcpEndpointPool can be obtained. To determine all the TCB
structure, the address of first link list must be obtained.

Figure 8: Find list head of singly-linked list

In order to determine whether the link list consists of TcpEndpoint or TCB header m the flag TcpE is monitor
if it is set it is TcpEndpoint otherwise it is TCB structure, so then it can be analysed to determine the information
about network connection and process attached to the connection. Now each network connection can be
traversed by the element of the doubly-linked list.
The information about the network connection in Windows 8 and Windows 7 are found to be obtained by the
similar process but the offset and value of registers are different.
Cryptanalysis of BitLocker
BitLocker Drive Encryption function is introduce by Microsoft Windows from Ultimate version Windows
Vista(Microsoft 2012). The main idea of introducing encryption is to protect data from theft. However, this made
the job of forensics investigator to be difficult.
Bitlocker uses AES-CBC encryption along with the elephant diffuser in each block of plain text. The plain text
block are chosen random between 512 to 8192 bytes. The overview of the bitlocker is depicted in the Figure
below:

Figure 9: Overview of AES-CBC + Elephant diff user(Fergusom 2006)

The memory dump is analyzed to search for the information about the Bitlocker. First the keyword recovery
key is searched in the memory dump which resulted in the following key in the memory dump..

Figure 10: Recovery Key hit in memory dump

On further analysis it is observed that the next memory dump after the restart didnt contain any key in plain text.
So the Global Unique Identifier <GUID> of the encrypted volume was searched. It was found that the first three
group are in little endian format and rest are as it is.

E1 07 A1 71 68 73 4C E5 A1 CC AA A6 A8 09 A3 E9
71 A1 07 E1 73 68 E5 4C A1 CC AA A6 A8 09 A3 E9

Figure 11: Identifier Hit in memory

Figure 12: Hit in memory dump for recovery key

Windows 8 didnt contain readable recovery key in memory whereas recover key was able to be seen in readable
format in Windows 7. But, after reboot no recovery key can be found in the memory dump though bitlocked
drive is unlocked using password.

Figure 13: Recovery Key found in Window 7

Also, few searches were performed with the keyword password in memory dump but no readable password
was observed in Windows 7 or Windows 8.

Figure 14: Password hit in windows 7

Drive Bit locker is only available in ultimate and enterprise versions of windows 7. So experiment is conducted
in ultimate version of Windows 7. Windows 8 has a provision for encrypting the used disk space or entire disk
whereas on Windows 7 it only has one provision, i.e., encrypt entire disk. Also, Windows 8 has option to
connect its account detail and other recovery services with the Microsoft account (such as live, msn or Hotmail).
CONCLUSION AND FUTURE WORKS
The memory analysis of Windows 8 was successfully performed from the knowledge acquired by memory
analysis of previous versions of Windows operating system. There was major similarity observed between the
memory structure of 64-bit Windows 7 and Windows 8. Nevertheless, on characterisation of the memory dumps
of same hardware configured computers, the disk space occupied were dramatically less in Windows 8 than
Windows 7. Few changes were also observed in registry, network connection, running processes and BitLocker.
Few features are found to be added in bitlocker such as recovery key in online accounts, network servers. The
user also has provision to encrypt only occupied data in the drive which decreased the encryption time
significantly. There is significant work need to be performed in order to decrypt the volumes that are locked by
bitlocker for forensic investigation. The detail analysis of the Windows 8 in different environment can be
performed in future to create a stable tool for memory analysis.

REFERENCES

CodeMachine (2013). "Catalog ofkey Windows kernel data structures." Retrieved October 25, 2013,from
http://codemachine.com/article_kernelstruct.html.

DFRWS (2005). "DFRWS 2005 Forensics Challenge." Retrieved October 20, 2013, from
http://www.dfrws.org/2005/challenge/index.shtml.

DolanGavitt, B. (2008). "Forensic analysis of the Windows registry in memory." Digital Investigation 5,
Supplement(0):S26S32.

Fergusom, N. (2006). "AESCBC + Elephant diffuser A Disk Encryption Algorithm for Windows Vista."
Retrieved October 26, 2013, from http://download.microsoft.com/download/0/2/3/0238acafd3bf4a6db3d6
0a0be4bbb36e/BitLockerCipher200608.pdf.

Lijuan,X.,etal."AcquisitionofNetworkConnectionStatusInformationfromPhysicalMemoryonWindows
Vista."

Microsoft(2012)."What'sNewinBitLockerforWindows8andWindowsServer2012."RetrievedOctober29,
2013,fromhttp://technet.microsoft.com/enus/library/hh831412.aspx.

Microsoft (2013). "ExtRemoteList class." Retrieved October 23, 2013, from http://msdn.microsoft.com/en
us/library/windows/hardware/ff544114(v=vs.85).aspx.

Microsoft (2013). "Live KernelMode Debugging Using WinDbg." Retrieved October 21, 2013, from
http://msdn.microsoft.com/enUS/library/windows/hardware/hh451166(v=vs.85).aspx.

Schuster, A. (2006). "Searching for processes and threads in Microsoft Windows memory dumps." Digital
Investigation3:1016.

Shuhui,Z.,etal.(2010). ExploratorystudyonmemoryanalysisofWindows7operatingsystem.Advanced
ComputerTheoryandEngineering(ICACTE),20103rdInternationalConferenceon.

Yang,S.,etal.(2013).ExploratorystudyonmemoryanalysisofWindowsCEdevice.IntelligentControland
InformationProcessing(ICICIP),2013FourthInternationalConferenceon,IEEE.