Lab – Memory Forensics:For this lab, you will be examining the contents of a random access memory (RAM) dump.The Software Engineering Institute (SEI) produced a good paper comparing live responsewith analysis of a memory image:http://www.sei.cmu.edu/library/abstracts/reports/08tn017.cfmWith a physical system, you will need to use a tool like Encase, FTK Imager, or Mandiant’sMemoryze™ tool to create an image of volatile memory. If you’re working with a VirtualMachine (VM), you can simply create a snapshot and conduct an analysis on the resultant.vmem file.Complete the following steps on the Lab VM or your own workstation. Thesetools are already installed on the VM. You’ll need to download them yourself if you’re usinga custom workstation:Volatility: https://code.google.com/p/volatility/downloads/listUsing the output you obtain from the steps below, answer the following questions in yourreport:1. What was Jane’s IP Address at the time of the memory acquisition, and how do youknow?2. Are there any active connections, and do they appear legitimate (i.e. normalbusiness or personal use of the system)?3. What services or applications currently have open ports in listen mode, and are anyof them suspicious?For any suspicious processes identified, explore open handles and process trees to find outmore about the processes. You may also want to check the process executables against an2 | P a g eonline malware database like VirusTotal to see if they have been previously reviewed formalicious content.Include screenshots and command line output in your report. Be sure to include youranalysis as well. I will be looking for answers to the questions above, clearly supported byevidence in your report.To investigate using Volatility:If you would like to explore Volatility commands beyond those presented here, you maywant to start with this cheat-sheet:http://code.google.com/p/volatility/downloads/detail?name=CheatSheet_v2.3.pdf1. First, make sure the volatility executable in the same folder as the RAM image (on theVM, you can use E:evidence). If you are using the VM, you should move vol.exefrom the desktop to e:, and then rename it to volatility.exe (this helps avoidconfusion with the VOL command built into Windows).2. Then, your first action with Volatility will be to identify the image “profile”:You’ll want to use the recommended profile in subsequent commands with the “–profile=”switch.3. To collect network information, use the following (all one line):4. Running processes can be obtained using (again, all one line):If the output is too large/long to analyze on your screen, use the redirect method to send the output to a file(E:Evidence>volatility.exe -f Jane_ram_dd.001 –profile Win7SP1x86_23418 netscan >volnetscan.txt)E:Evidence>volatility.exe -f Jane_ram_dd.001 –profile Win7SP1x86_23418 netscanE:Evidence>volatility.exe -f “r:Unallocated Clusters” –profileWin7SP1x86_23418 pslist3 | P a g eUse these volatility cheat sheets or any other resource to further investigate the RAM image and answer thequestions posed.- http://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf- https://digital-forensics.sans.org/media/memory-forensics-cheat-sheet.pdfInclude any additional potential evidence discovered using the Volatility tool in yourreport.To Investigate using Autopsy1. Start Autopsy and open the case you have been using for the course2. Ensure jane_ram_dd.001 has been added to the case and the appropriate ingest modules run(see week 2 lab manual)3. In the tree view navigate to Interesting Items on the left hand side.4. Expand the Interesting Items to see the Volatility results. Tag any results of interest.5. Compare the resulst from the Volatility plugin to the comand line Volatility output.4 | P a g e6. Is there a difference?7. Are there additional items in the Volatility plugin or the comand line.8. Ensure you include results from both the command line and the Autopsy Plugin in your Week3 lab report.Think about the following questions, but you don’t have to answer in your report:• Why do you suppose some of the results varied?• What issues could this raise when presenting evidence in a courtroom or undercross-examination?• How can you de-conflict results for an accurate picture of the evidence?
???? Hi, how can I help?
