I was recently introduced to the FTK Imager program in my digital forensics class. As I was using I began wondering, how can this program see all of RAM? According to my Operating Systems knowledge, programs are limited to their own virtual memory, therefore it must have to contact the kernel in order to read other parts of memory. If so, that’s a fairly worrying privilege, so how does it work?
I did a very basic analysis, unfortunately I can’t spend more time on it because my Advanced Operating Systems subject is my life now, but here’s what I found.
Upon commencing dumping memory, FTK makes a sequence of Windows kernel DeviceIoControl calls; Which makes sense, because that allows programs to read and write to files & devices.
At the start of the capture, a file is created on our drive as an output file, remember the handle 0x00000448, it will come back later.
8 Calls to DeviceIoControl then a Write to our output 0x00000448.
But what are the DeviceIoControl calls doing? That’s where it gets confusing.
We’re interacting with a device handle 0x00000450, which I could not find mentioned anywhere else in the binary or on the web. The control code is 2147541020 which is also undocumented. The lpInBuffer is the same every time 0x06b77b20, size 12. The lpOutBuffer increments by 4096 each time, and the size of the output is 4096.
Purely from the fact that the out buffer is much larger, these IoControl calls are most likely performing a read of 4096 bytes from a device. 4096 * 8 is 32768, which is the number of bytes we write to our output file after 8 reads.
So our pattern is, read 32768 bytes from somewhere and write that to our output file.
The size 4096 makes me think that each read is of a page mapped from physical memory. Hence, the kernel must be mapping in pages and allow FTK to read from them.
Undocumented windows internals are fun. Maybe someone with more time can find out if we can abuse this :D
Update: The driver handle originates from this call: Which is of the form of a driver or physical storage but it’s not well documented what that name is.