Analyzing Windows Memory
CFDI 270

Overview Network forensics follows numerous paths due to the astronomical differences in all of the various networks around the world. But in any investigation memory analysis may play a critical role. We will cover the basic processing of memory and its analysis in the Windows operating system.
Delving Into Windows Network investigation cases will rarely follow a rote path. However, most investigations have a few typical steps that are taken. One of the first steps is to acquire the memory if we are doing a live analysis. We can glean a myriad of invaluable information from a computer’s memory. This information may include hidden and running processes, when these processes were started and by whom, and what these specific processes were doing. Terminated objects may even be found in memory days after they were killed. The memory also will have the state of active network connections (Burdach). Windows translates addresses in a three stage procedure generally. Every process on a Windows system maintains a DirectoryTableBase (DTB). The value of the DTB is stored in the CR3 register when the process is running. This value contains the base address of the table of Page Directory Entries (PDE) for that process. Every virtual address that is translated, has a PDE specified using some of the bits from the original virtual address. The PDE is used to find the base address of a specific page of Page Table Entries (PTE). This specific PTE is designated using this base address and some more bits from the original virtual address. The PTE will now point to the base address of the page in physical memory where the data is stored. The actual data address in physical memory is the base address of this page plus the remaining bits from the original virtual address (Petroni). The first byte of the PDE or PTE is the validity byte. If the byte is 0 it is invalid. If the byte is 1 it is valid.
Every PDE or PTE, including invalid entries, fits into one of six categories. The categories are Page file, Zero, Demand Zero, Prototype, Transition, and Unknown. The memory has a finite amount of data that it can retain. Once this data limit is reached paging files are stored on the disk. If a PDE or PTE is invalid and has byte 10, Prototype, and byte 11, Transition, as 0 the entry points to one of these paging files on the disk (Petroni). It is a Demand Zero when the page file number, bits 1-4, and the page file offset, bits 12-31, are zero. These pages can be ignored as they only represent a zero. When the t bit is 1, but the p bit is 0 the page is in Transition. This means that page has been modified but not yet written to disk. The page in this case can still be retrieved by an examiner in this status due to being active in memory (Petroni). The prototype bit has no bearing on PDE’s, but if it is set in a PTE then it is a pointer to a prototype page table entry. When the P bit is set in the PTE the T bit is part of the prototype index number (Petroni). A prototype page is similar to a symbolic link for a shared file. This way the system only needs to update the prototype PTE instead of every process utilizing the true PTE. To locate the virtual address of a prototype PTE one multiplies the index number in the invalid PTE by the size of the PTE. This product is then added to the start of the system’s paged area (Petroni). When a page is in Zero state the operating system has dedicated a page of physical memory for a process, but the page has not yet been accessed (Petroni). “Windows memory analysis techniques depend on the examiner’s ability to translate the virtual addresses used by programs and operating system components into the true locations of data in a memory image,” (Schuster). Due to Windows caching large amounts of file data in memory we need to ensure we take invalid, mapped-file data into account. Memory is divided into