Static Code Analysis on The Effect of Virtual Secure Mode on Memory Acquisition with IDA
Memory acquisition process is one of digital forensics act. There are several tools that support memory acquisition process. At this time, there is a feature named secure mode that can caused crash or error in memory acquisition tools system and caused the tools to be unusable, also the loss of the computer memory. This research is focusing on analyzing the acquisition tools that has error or crash when the device that is being used for memory acquisition is in secure mode. The analysis is being carried out using static code analysis method, which is one of the techniques of reverse engineering, using IDA. This study aims to find the cause of the crash or error in memory acquisition tools. The purpose of this study is to be useful for digital forensic tester in understanding the potential risk of the secure mode impact in acquisition process. The results of this study indicate that different operating system and different kernel which runs in the device are the reasons that memory acquisition tools cannot run properly on VSM environment being turned on.
 A. Milenkoski and D. Phillips, â€œVirtual Secure Mode: Architecture Overview.,â€ hal-03117358, 2019, [Online]. Available: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs
 M. Sikorski and A. Honig, PRACTICAL MALWARE ANALYSIS. San Francisco, CA: William Pollock, 2012.
 K. M. Stewart, â€œWhat is Windows 10 isolated user mode (IUM),â€ TechTarget, Oct. 31, 2017. https://www.techtarget.com/searchenterprisedesktop/definition/Windows-10-Isolated-User-Mode-IUM (accessed Apr. 29, 2022).
 H. K. Brendmo, â€œLive Forensics on the Windows 10 secure kernel,â€ Jun. 2017.
 H. A. Nugroho and Y. Prayudi, â€œPENGGUNAAN TEKNIK REVERSE ENGINEERING PADA MALWARE ANALYSIS UNTUK IDENTIFIKASI SERANGAN MALWARE,â€ 2014, [Online]. Available: www.thehackernews.com
 M. Egele, C. Kruegel, E. Kirda, and G. Vigna, â€œPiOS: Detecting Privacy Leaks in iOS Applications Institute Eurecom, Sophia Antipolis,â€ Feb. 2011.
 M. G. Rekoff and S. Member, â€œOn Reverse Engineering.â€
 P. Forbrig et al., Combining Static and Dynamic Analysis for the Reverse Engineering of Web Applications.
 P. Muntean, M. Fischer, G. Tan, Z. Lin, J. Grossklags, and C. Eckert, â€œÏ„CFI: Type-assisted control flow integrity for x86-64 binaries,â€ in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2018, vol. 11050 LNCS, pp. 423â€“444. doi: 10.1007/978-3-030-00470-5_20.
 The Python Software Foundation, â€œmsvcrt â€” Useful routines from the MS VC++ runtime,â€ Python documentation, Jan. 15, 2023. https://docs.python.org/3/library/msvcrt.html (accessed Jan. 16, 2023).
 T. Ahmed and S. Xu, â€œShellcoding: Hunting for Kernel32 Base Address,â€ IEEE, 2022, Accessed: Jan. 16, 2023. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/9798057/authors#authors
 D. Hintea, R. Bird, and M. Green, â€œAn Investigation into the Forensic Implications of the Windows 10 Operating System: Recoverable Artefacts and Significant Changes from Windows 8.1.â€
 N. Dwi, W. Cahyani, E. M. Jadied, E. Ariyanto, N. Hidayah, and A. Rahman, â€œThe Influence of Virtual Secure Mode (VSM) on Memory Acquisition.â€ [Online]. Available: www.ijacsa.thesai.org
 Microsoft, â€œCompare windows 10 editions for business: Microsoft,â€ Microsoft Windows for Business, 2023, Accessed: Jan. 16, 2023. [Online]. Available: https://www.microsoft.com/en-us/windowsforbusiness/compare
 Daniel Todd, â€œWindows 10 Pro vs Home vs Enterprise: Which is best for your business?,â€ May 2022, Accessed: Jan. 16, 2023. [Online]. Available: https://www.itpro.co.uk/software/operating-systems/367779/windows-10-pro-vs-home-vs-enterprise-best-for-business
This work is licensed under a Creative Commons Attribution 4.0 International License.
Manuscript submitted to IJoICT has to be an original work of the author(s), contains no element of plagiarism, and has never been published or is not being considered for publication in other journals. Author(s) shall agree to assign all copyright of published article to IJoICT. Requests related to future re-use and re-publication of major or substantial parts of the article must be consulted with the editors of IJoICT.