Live forensics on the Windows 10 secure kernel.

Abstract

The thesis looks at the internals of the secure kernel, explores ways of performing live forensics on the secure kernel as well as providing information on how to extract a full memory dump from a virtual machine running inside a nested hypervisor.

This thesis also provides software that is used in the investigation of said kernel, providing demonstrations on how secure kernel memory is laid out.

The thesis also provides information on Secure Kernel Objects (SKOs) which are artifacts that could be useful for a forensic investigator wishing to understand the secure kernel.