Research On Stack Memory Forensics For 64-bit Windows

Stack forensics can reconstruct the operations done by the system when events occur.Research on stack forensics of mainstream Windows systems is of great significance to the improvement of memory forensics process and the development of memory forensics technology.Nowadays,for 64-bit Windows dump files that don't establish frame pointers,existing stack forensics methods will recognize non-executable addresses and callback function addresses as correct return addresses mistakenly.At the same time,some forensics or memory analysis tools such as Win Dbg relies too much on debugging symbols and dump files containing malicious processes usually don't have debugging symbols making forensic difficulty.In addition,if the compressed memory data of Windows 10 is not extracted,the forensic results will be missing and the existing retrieval method has a cumbersome process,doesn't consider the different kernel data structures brought by the system versions and just supports the single compression algorithm.In order to solve the above problems,this paper designs a method to build stack forensics from 64-bit Windows memory dump.The main research contents of this paper are as follows:1.To improve the compressed memory forensics under Windows 10,this paper proposes a algorithm named Retrieval Based on Quick Location REGION KEY(RBQLRK).The algorithm RBQLRK improves the retrieval method of compressed data and improves retrieval efficiency;it corrects the calculation deviation caused by the different sizes of the memory structure block caused by difference between system versions;it adds support for different compression algorithms.2.Without dependence on debugging symbols and frame pointers,this paper proposes a algorithm named Stack Forensics Based on Exception Tables Decision(SFBETD)to restore the call information when the events occur.The algorithm SFBETD first preprocesses the acquired memory evidence to obtain process-related information;then it retrieves the user context of the target process to determine the starting point of the stack tracing;it judges the location of the register instruction pointer and analyzes its positions and the impacts of different positions on the value of the relevant register contents;finally,it makes decision analysis based on the impacts on the way to use of the exception tables and performs a tracking of the execution history of the stack.3.When the exception tables are not available,a algorithm named Stack Forensics Based on Instruction Code(SFBIC)is proposed.The algorithm SFBIC first scans the stack and marks all possible previous return addresses as candidate addresses;then it verifies the addresses based on the instructions decoded at the call addresses,eliminating errors caused by the scanning method and the instruction flow verification method.In order to analysis and validate forensics with the algorithm optimization theory proposed in this paper,the open source memory forensics framework Volatility is used to develop the corresponding plug-in and comprehensive experiments and contrast analysis have been done.The results prove that the proposed forensics method doesn't depend on the frame pointers and debug symbols,using exception tables can reduce missed results of stack traces;in the absence of exception tables,forensics based on the instruction code can greatly improve the accuracy of forensics;it can obtain more complete stack traces in Windows 10 after adding compressed memory forensics.