capturing dynamic_evidence last edited by patrick 1 month 1 week ago a
Search for question
Question
Capturing Dynamic_Evidence
last edited by Patrick 1 month, 1 week ago
Assignment 3
RAM and Swap Capture
Page history
For your work on the last two assignments, Ms. Wilde has promoted you to the rank Chief Digital Evidence Examiner at Palindrome. Shortly after, a phone call from the county Sheriff's office was transferred to you. The deputy explains that earlier, a suspected pipe bomb exploded in an aviation facility and a person was
detained while attempting to flee the scene. Deputies are currently at the suspect's house and they believe there is evidence on the suspect's computer, which is currently powered on, that is related to the investigation; the Deputy is afraid of powering off the computer first and potentially losing some evidence.
You meet the deputy at the door along with their in house computer examiner who asks you to copy the volatile evidence so they can shut down the computer and make a forensic duplicate of the drive for analysis later. The computer is a Dell running XP and with 512MB RAM installed (I know what you're thinking, but
don't laugh too much: It was an easy way to provide to you a full, working VM that wasn't absurdly large to download!). Using your trusty USB thumb drive with FTK Imager installed, you make your copy to analyze and as you're leaving, over hear the suspect yell at the deputy "I'm not lying! I've never heard of the
Unabomber!" You've been tasked with finding any evidence which may cast doubt on the suspect's statement.
Deliverables
1. A non-technical management summary that explains what you were asked to do, what you did, and your findings.
2. A technical summary that explains the tools and procedures you used and what you recovered.
i. Be specific about the procedures - Numbered step step 2, step 3, etc.)
ii. Your results section should have the evidence you recovered, along with descriptions of the evidence.
3. A conclusion section that explains how (if?) you were able to prove the suspect was lying.
Software
You can choose either option
• Download FTK Imager 3.2.0:
• AccessData Product Downloads
• Follow These Directions
• Run FTK Imager from a flash drive (Imager Lite): Support Portal
• Original FTK Imager Lite 3.1.1
• FTK Imager Lite 3.1.1
• Original version of Lite which extracts directly to a USB
Important!
USB 3.0 devices will not work inside this XP VM. If you're having trouble getting the VM to recognize you have a flash drive attached, make sure you're not using a USB 3.0 drive.
Setup
1. Have FTK Imager installed and ready to go on a USB (Not 3.0) flash drive. You won't install Imager in the virtual machine; doing so would change evidence and you wouldn't have the time before valuable volatile information was lost.
i. Note that I said FTK Imager and NOT FTK; we will not need or be using the full version of FTK
2. Download the compressed VM and unzip it. Inside the extracted Windows XP RAM Capture directory is a is a file which ends in .vmdk: If you add/open that in Workstation or just double click, this will start the VM. Don't do that until you're ready! The VM is in a suspended and will begin running from where it was
paused meaning the contents of RAM will begin to change from that point.
3. Download and install strings and Photorec if you're doing the analysis in Windows otherwise you can use 'strings' in Linux and PhotoRec (sudo aptitude install photorec)/nProcedure
Remember that as the VM is running, the content of RAM and the swap file are changing. I suggest doing this procedure more than once to get the procedure down, delete the extracted VM folder, extract a new copy, and start the process over for the assignment.
1. Use FTK Imager to dump the RAM and the swap.
i. Make sure the location being saved to is your flash drive and not the the virtual machine.
2. Run strings on the RAM dump and swap file.
3. Use a text editor to search for any evidence that may indicate the suspect is lying.
i. Hint: Use Google before you run the search to do a little preliminary investigation on what keywords may be useful
a. We'll probably be on some watch list after this so don't forget to occasionally say hello to our new government surveillant
a. Just type something out now and again. Don't worry, they'll see!
4. Recover any lengthy text which would be useful in proving the suspect is lying.
i. Include a few paragraphs of the text document in your report in an appendix.
ii. Note whether you were able to recover the entire content of the document(s) by finding the original document and comparing.
iii. Taking a hash will not work in this situation; you'll have to visually compare.
iv. Note the origin of the recovered text - RAM or Swap
5. Recover any graphics files in RAM and swap.
i. Include these files, along with hashes of each file, in your report.
ii. Note the source - RAM or Swap - of where the recovered files came from
6. Include a few examples of web searches the suspect performed.
i. Note which search may have lead to the recovered text
ii. Note the source as well - RAM or Swap
7. Use 'www.tineye.com' to do a reverse image search on any graphics files you found.
i. Did you get any hits? If not, what is your best guess as to why there were no hits.
ii. Hint: How does tineye.com work and how does a carving tool carve files from an image?
