Lab: Memory Acquisition Lab
For this exercise you will be capturing memory from your own laptops (or a virtual machine if you prefer). It is important, however, that you use a machine that is actually used. (E.g., don't install a Windows VM for this exercise to acquire it; you're looking for other real-world data.) You WILL NOT hand in your own memory image, for obvious privacy reasons. Memory acquisition can be time-consuming (directly related to how much memory you have in your machine). Accordingly, this exercise will start by capturing memory from an active machine you control BEFORE the lab period.
It is recommended you do this no later than two nights before the lab. Run the acquisition overnight, and if for some reason it doesn't work, try again the next night. Bring this image to lab with you.
Be sure to have Volatility installed on the forensics image created in the last lab; you may need additional Volatility profiles, depending on the type of machine you image. You can view the Volatility cheatsheet to get an idea of which commands to use.
This assignment is designed so you can do some hands-on acquisition and familiarize yourself with Volatility. Working with other students with different operating systems is encouraged, but the answers should remain your own and be related to your own image.
Answer the following:
1. Capture the memory of your system; what are the hash value and the output of the image info command on your image? How would you forensically handle the image (i.e., chain of custody/integrity of evidence)?
2. Get a list of running processes when the image was captured. Which commands did you use? Are there any hidden processes?
3. What arguments were used to execute the above program, and which command did you use to find it?
4. What variables did the above program have set, and what was the parent process that launched it? How did you retrieve that information?
5. Dump a hidden process (or if there wasn't one, any other running process). What command did you use? How could you determine quickly if it was malicious?
6. Retrieve the command line history (bash, cmd.exe, etc.) from the image. What command did you use? What was the last command run?
7. Get a list of installed kernel modules and list them. What command did you use?
8. What was the networking info of the machine at time of capture (IP address, active connections)? What command did you use?
9. Working with someone who had a different operating system (e.g., if you had Windows, ask someone with Linux or a Mac), take a look at how the other person retrieved information and observe the differences. How would you accommodate multiple platforms in an investigation? Give the image info output for the other student's image you were looking at.
10. What other commands can you run that give you interesting information? (Can you retrieve your browser history, OTR chats, etc.?) Explore the capability of this kind of analysis.
Attachment:- Lab Assignment.rar