2 \newpage\section{Questions image1.vmem (5 points)}
3 \subsection{What information can you extract about the operating system?}
4 \ttfamily{volatility -f image1.vmem imageinfo}
6 Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
7 AS Layer1 : IA32PagedMemoryPae (Kernel AS)
8 AS Layer2 : FileAddressSpace (/home/jan/vmshare/digforRAM/image1.vmem)
12 Number of Processors : 1
13 Image Type (Service Pack) : 3
14 KPCR for CPU 0 : 0xffdff000
15 KUSER_SHARED_DATA : 0xffdf0000
16 Image date and time : 2011-11-30 11:14:10
17 Image local date and time : 2011-11-30 12:14:10 +0100
20 \subsection{What happened at the time of the RAM dump}
22 \ttfamily{volatility -f image1.vmem -{}-profile=WinXPSP2x86 pstree}
24 Name Pid PPid Thds Hnds Time
25 --------------------------------- ------ ------ ------ ------ ----
26 0x823c8830:System 4 0 56 252 1970-01-01 00:00:00
27 . 0x822224c8:smss.exe 552 4 3 19 2011-11-30 11:10:38
28 .. 0x822aaae0:csrss.exe 600 552 10 431 2011-11-30 11:10:39
29 .. 0x822479c0:winlogon.exe 624 552 24 522 2011-11-30 11:10:40
30 ... 0x8229db68:services.exe 676 624 15 259 2011-11-30 11:10:40
31 .... 0x821a23c0:VMUpgradeHelper 512 676 6 97 2011-11-30 11:10:54
32 .... 0x821e3260:alg.exe 1368 676 7 104 2011-11-30 11:10:56
33 .... 0x82293728:svchost.exe 1032 676 84 1552 2011-11-30 11:10:40
34 ..... 0x821a1650:wuauclt.exe 1132 1032 8 177 2011-11-30 11:10:54
35 ..... 0x821ea4c0:wscntfy.exe 1988 1032 1 39 2011-11-30 11:10:56
36 ..... 0x81e1cb08:wuauclt.exe 3560 1032 6 118 2011-11-30 11:11:55
37 .... 0x82100b28:svchost.exe 940 676 9 261 2011-11-30 11:10:40
38 .... 0x82096748:svchost.exe 1080 676 5 ------ 2011-11-30 11:10:40
39 .... 0x82225020:vmacthlp.exe 844 676 1 25 2011-11-30 11:10:40
40 .... 0x81ea1558:spoolsv.exe 1620 676 14 123 2011-11-30 11:10:42
41 .... 0x82228020:svchost.exe 860 676 19 204 2011-11-30 11:10:40
42 ..... 0x81dfa918:AcroRd32Info.ex 3728 860 7 149 2011-11-30 11:12:28
43 ..... 0x81e23878:wmiprvse.exe 992 860 5 189 2011-11-30 11:10:54
44 .... 0x8219d578:svchost.exe 1124 676 15 210 2011-11-30 11:10:41
45 .... 0x81e27da0:vmtoolsd.exe 252 676 6 222 2011-11-30 11:10:51
46 ... 0x820a3aa8:lsass.exe 688 624 24 362 2011-11-30 11:10:40
47 0x8220ac08:explorer.exe 1512 1460 16 424 2011-11-30 11:10:42
48 . 0x81e7d020:AdobeARM.exe 1796 1512 8 143 2011-11-30 11:10:43
49 . 0x81e7a2a0:ctfmon.exe 1804 1512 1 99 2011-11-30 11:10:43
50 . 0x822149f8:VMwareTray.exe 1752 1512 1 58 2011-11-30 11:10:43
51 . 0x81dc5958:AcroRd32.exe 3692 1512 4 161 2011-11-30 11:12:27
52 .. 0x8228c400:rundll32.exe 3968 3692 1 59 2011-11-30 11:14:06
53 . 0x81e67308:Netlogon.exe 3976 1512 1 14 2011-11-30 11:14:06
54 . 0x82203da0:VMwareUser.exe 1772 1512 6 211 2011-11-30 11:10:43
55 0x821fb3d8:svchost.exe 416 1828 4 138 2011-11-30 11:10:53
56 0x821d7da0:svchost.exe 3708 3632 5 144 2011-11-30 11:12:28
59 \ttfamily{volatility -f image1.vmem --profile=WinXPSP2x86 sockscan}
61 Offset(P) PID Port Proto Protocol Address Create Time
62 ---------- -------- ------ ------ --------------- --------------- -----------
63 0x02008008 1080 1033 17 UDP 0.0.0.0 2011-11-30 11:11:07
64 0x02009250 1368 1027 6 TCP 127.0.0.1 2011-11-30 11:10:56
65 0x02060460 4 137 17 UDP 192.168.187.130 2011-11-30 11:10:44
66 0x02062140 4 138 17 UDP 192.168.187.130 2011-11-30 11:10:44
67 0x0206c258 4 139 6 TCP 192.168.187.130 2011-11-30 11:10:44
68 0x02105e98 932 135 6 TCP 0.0.0.0 2011-11-30 11:05:07
69 0x02118c08 1092 1025 17 UDP 0.0.0.0 2011-11-29 13:44:23
70 0x0235b008 1032 123 17 UDP 192.168.187.130 2011-11-30 11:10:54
71 0x0235e570 4 1031 6 TCP 0.0.0.0 2011-11-30 11:10:57
72 0x0236e220 4 445 17 UDP 0.0.0.0 2011-11-30 11:10:37
73 0x02373338 4 0 47 GRE 0.0.0.0 2011-11-30 11:10:57
74 0x02385e98 688 4500 17 UDP 0.0.0.0 2011-11-30 11:10:52
75 0x0238a8e0 688 0 255 Reserved 0.0.0.0 2011-11-30 11:10:52
76 0x02396548 1032 123 17 UDP 127.0.0.1 2011-11-30 11:10:55
77 0x023e6e98 1124 1900 17 UDP 127.0.0.1 2011-11-30 11:10:56
78 0x023f2e98 688 500 17 UDP 0.0.0.0 2011-11-30 11:10:52
79 0x02408e98 1124 1900 17 UDP 192.168.187.130 2011-11-30 11:10:56
80 0x024650b0 940 135 6 TCP 0.0.0.0 2011-11-30 11:10:40
81 0x024a5970 4 445 6 TCP 0.0.0.0 2011-11-30 11:10:37
85 \subsection{Can you find traces of Malware?}
86 emph{\textbf{rundll32.exe}} could hint that the system has been compromised.\\
88 Extracting screenshots with \ttfamily{volatility -f image1.vmem --profile=WinXPSP2x86 screenshot --dump-dir screenshots} brings an image named \emph{\textbf{IMAGE1:/screenshots/session\_0.WinSta0.Default.png}} containing an outline with a Message where DEP is closing Acrobat with an open file named \emph{\textbf{navy procurement.pdf}}.\\
89 This could hint at a compromised PDF.\\
91 The TCP-LISTEN on port 1031 seems to be used by malware as described by \url{http://de.adminsub.net/tcp-udp-port-finder/1031} or \url{http://www.auditmypc.com/tcp-port-1031.asp}.\\
93 \ttfamily{volatility -f image1.vmem --profile=WinXPSP2x86 ldrmodules}
95 Pid Process Base InLoad InInit InMem MappedPath
96 ---- -------------------- ---------- ------ ------ ----- ----------
97 3976 Netlogon.exe 0x00400000 True False True \Documents and Settings\
98 Administrator\Local Settings\Netlogon.exe
100 contains a suspicious line: a Netlogon.exe instance which resides in:\\
101 \emph{\textbf{\textbackslash{}Documents and Settings\textbackslash{}Administrator\textbackslash{}Local Settings\textbackslash{}Netlogon.exe}}\\
102 This looks very suspicious.
105 \newpage\section{Questions image2.vmem (5 points)}
106 \subsection{What information can you extract about the operating system?}
107 \ttfamily{volatility -f image2.vmem imageinfo}\
109 Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
110 AS Layer1 : IA32PagedMemoryPae (Kernel AS)
111 AS Layer2 : FileAddressSpace (/home/jan/vmshare/digforRAM/image2.vmem)
115 Number of Processors : 1
116 Image Type (Service Pack) : 1
117 KPCR for CPU 0 : 0x81afd800
118 KUSER_SHARED_DATA : 0xffdf0000
119 Image date and time : 2011-11-30 14:23:46
120 Image local date and time : 2011-11-30 15:23:46 +0100
123 \ttfamily{volatility -f image2.vmem -{}-profile=Win2008SP1x86 pstree}
125 Name Pid PPid Thds Hnds Time
126 --------------------------------- ------ ------ ------ ------ ----
127 0x84a802d0:csrss.exe 460 448 10 518 2011-11-30 14:03:24
128 0x84b7b020:wininit.exe 500 448 3 99 2011-11-30 14:03:25
129 . 0x844ba020:lsass.exe 600 500 16 562 2011-11-30 14:03:25
130 . 0x84bab020:services.exe 584 500 7 233 2011-11-30 14:03:25
131 .. 0x84ddba50:msdtc.exe 2176 584 14 174 2011-11-30 14:03:49
132 .. 0x84d851c8:svchost.exe 1032 584 42 786 2011-11-30 14:03:30
133 ... 0x84e252c8:taskeng.exe 1920 1032 7 137 2011-11-30 14:03:41
134 ... 0x84511248:taskeng.exe 2504 1032 15 318 2011-11-30 14:03:59
135 .. 0x84506188:SearchIndexer.e 2028 584 18 756 2011-11-30 14:03:46
136 ... 0x84291150:SearchProtocolH 3804 2028 6 318 2011-11-30 14:05:05
137 ... 0x842b0758:SearchFilterHos 3828 2028 3 90 2011-11-30 14:05:05
138 ... 0x842b2070:SearchProtocolH 3868 2028 5 283 2011-11-30 14:05:06
139 .. 0x84e4c688:svchost.exe 1296 584 19 378 2011-11-30 14:03:31
140 .. 0x84e27ce8:dllhost.exe 1796 584 18 256 2011-11-30 14:03:47
141 .. 0x84dc0b68:VSSVC.exe 2392 584 5 127 2011-11-30 14:03:55
142 .. 0x843ead90:VMwareService.e 1316 584 7 226 2011-11-30 14:03:45
143 .. 0x84cc2158:svchost.exe 1224 584 20 583 2011-11-30 14:03:31
144 .. 0x84c7bd90:svchost.exe 824 584 7 285 2011-11-30 14:03:30
145 .. 0x84d1d4a8:dllhost.exe 1356 584 20 195 2011-11-30 14:03:46
146 .. 0x84d85d90:spoolsv.exe 1488 584 18 311 2011-11-30 14:03:31
147 .. 0x844a6020:svchost.exe 1016 584 33 455 2011-11-30 14:03:30
148 ... 0x84e92020:dwm.exe 2864 1016 3 63 2011-11-30 14:04:16
149 .. 0x84d99540:svchost.exe 1108 584 5 122 2011-11-30 14:03:30
150 .. 0x84488020:svchost.exe 856 584 15 377 2011-11-30 14:03:30
151 .. 0x84e753f0:svchost.exe 1444 584 4 43 2011-11-30 14:03:46
152 .. 0x84da2440:svchost.exe 988 584 24 362 2011-11-30 14:03:30
153 ... 0x84d70440:audiodg.exe 1084 988 6 110 2011-11-30 14:03:30
154 .. 0x84d8da20:svchost.exe 1512 584 31 302 2011-11-30 14:03:31
155 .. 0x84d94c40:SLsvc.exe 1132 584 5 86 2011-11-30 14:03:30
156 .. 0x84e41020:svchost.exe 496 584 6 123 2011-11-30 14:03:45
157 .. 0x84c8f278:svchost.exe 760 584 6 294 2011-11-30 14:03:30
158 ... 0x842c37d0:WmiPrvSE.exe 536 760 7 139 2011-11-30 14:23:39
159 . 0x84b84020:lsm.exe 608 500 10 162 2011-11-30 14:03:25
160 0x84d83a58:explorer.exe 2884 2856 31 633 2011-11-30 14:04:16
161 . 0x845108f8:cmd.exe 3576 2884 1 18 2011-11-30 14:04:46
162 .. 0x84287d90:telnet.exe 3968 3576 3 92 2011-11-30 14:05:14
163 . 0x844d4858:MSASCui.exe 2992 2884 11 314 2011-11-30 14:04:18
164 . 0x84e0e528:VMwareUser.exe 3008 2884 6 192 2011-11-30 14:04:18
165 . 0x84d4cd90:sidebar.exe 3076 2884 9 267 2011-11-30 14:04:18
166 . 0x844c4d90:VMwareTray.exe 3000 2884 1 56 2011-11-30 14:04:18
167 0x82db0790:System 4 0 100 501 2011-11-30 14:02:51
168 . 0x844913f8:smss.exe 396 4 4 28 2011-11-30 14:03:23
169 0x84e3fb80:csrss.exe 2076 2068 9 237 2011-11-30 14:03:48
170 0x843765a8:winlogon.exe 2100 2068 4 123 2011-11-30 14:03:48
174 Offset(P) Proto Local Address Foreign Address State Pid Owner Created
175 0x1dcd41d8 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 988 svchost.exe
176 0x1dd0b100 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 988 svchost.exe
177 0x1dd0b100 TCPv6 :::49153 :::0 LISTENING 988 svchost.exe
178 0x1de7de10 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 1032 svchost.exe
179 0x1ded9488 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 824 svchost.exe
180 0x1def6a60 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System
181 0x1def6a60 TCPv6 :::445 :::0 LISTENING 4 System
182 0x1df3c250 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 500 wininit.exe
183 0x1df3c250 TCPv6 :::49152 :::0 LISTENING 500 wininit.exe
184 0x1df46008 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 824 svchost.exe
185 0x1df46008 TCPv6 :::135 :::0 LISTENING 824 svchost.exe
186 0x1df4d920 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 1032 svchost.exe
187 0x1df4d920 TCPv6 :::49154 :::0 LISTENING 1032 svchost.exe
188 0x1df86858 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 500 wininit.exe
189 0x1e69b678 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 600 lsass.exe
190 0x1e69b678 TCPv6 :::49155 :::0 LISTENING 600 lsass.exe
191 0x1e69bf60 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 600 lsass.exe
192 0x1e6bf288 TCPv4 192.168.187.132:139 0.0.0.0:0 LISTENING 4 System
193 0x1e6fd008 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 584 services.exe
194 0x1e6fd008 TCPv6 :::49156 :::0 LISTENING 584 services.exe
195 0x1e98b358 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 584 services.exe
196 0x1e711a68 TCPv4 192.168.187.132:49158 94.142.241.111:23 ESTABLISHED 3968 telnet.exe
197 0x1dc22c08 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2011-11-30 14:03:45
198 0x1dc22c08 UDPv6 :::0 *:* 1032 svchost.exe 2011-11-30 14:03:45
199 0x1dc463f8 UDPv4 0.0.0.0:500 *:* 1032 svchost.exe 2011-11-30 14:03:45
200 0x1dc463f8 UDPv6 :::500 *:* 1032 svchost.exe 2011-11-30 14:03:45
201 0x1dc80008 UDPv4 0.0.0.0:5355 *:* 1296 svchost.exe 2011-11-30 14:04:10
202 0x1dc80008 UDPv6 :::5355 *:* 1296 svchost.exe 2011-11-30 14:04:10
203 0x1dd0c4e8 UDPv4 0.0.0.0:500 *:* 1032 svchost.exe 2011-11-30 14:03:45
204 0x1dd0c800 UDPv4 0.0.0.0:4500 *:* 1032 svchost.exe 2011-11-30 14:03:45
205 0x1de98d60 UDPv4 0.0.0.0:0 *:* 496 svchost.exe 2011-11-30 14:03:45
206 0x1df237b0 UDPv4 0.0.0.0:123 *:* 1224 svchost.exe 2011-11-30 14:04:07
207 0x1df237b0 UDPv6 :::123 *:* 1224 svchost.exe 2011-11-30 14:04:07
208 0x1df89910 UDPv4 192.168.187.132:137 *:* 4 System 2011-11-30 14:03:44
209 0x1dfb03f0 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2011-11-30 14:03:45
210 0x1e151008 UDPv4 0.0.0.0:5355 *:* 1296 svchost.exe 2011-11-30 14:04:10
211 0x1e607380 UDPv4 0.0.0.0:0 *:* 496 svchost.exe 2011-11-30 14:03:45
212 0x1e607380 UDPv6 :::0 *:* 496 svchost.exe 2011-11-30 14:03:45
213 0x1e60f390 UDPv4 192.168.187.132:138 *:* 4 System 2011-11-30 14:03:44
214 0x1e62a008 UDPv4 0.0.0.0:0 *:* 1224 svchost.exe 2011-11-30 14:03:46
215 0x1e6c9008 UDPv4 0.0.0.0:123 *:* 1224 svchost.exe 2011-11-30 14:04:07
216 0x1e6f2368 UDPv4 0.0.0.0:0 *:* 1296 svchost.exe 2011-11-30 14:04:10
217 0x1e6f2368 UDPv6 :::0 *:* 1296 svchost.exe 2011-11-30 14:04:10
218 0x1e96d4b8 UDPv4 0.0.0.0:0 *:* 1224 svchost.exe 2011-11-30 14:03:46
219 0x1e96d4b8 UDPv6 :::0 *:* 1224 svchost.exe 2011-11-30 14:03:46
222 \subsection{What users are there on the system? Extract the password
223 hashes and passwords.}
224 volatility -f image2.vmem --profile=Win2008SP1x86 hashdump -s 0x94cdb6a8 -y 0x86224008
226 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
227 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
228 Vista:1000:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
229 Bob:1001:aad3b435b51404eeaad3b435b51404ee:878d8014606cda29677a44efa1353fc7:::
230 Alice:1002:aad3b435b51404eeaad3b435b51404ee:5835048ce94ad0564e29a924a03510ef:::
231 Eve:1003:aad3b435b51404eeaad3b435b51404ee:4d55663e41abd66cf17584c9c9f7c86c:::
234 \subsection{What "movie" was watched by the logged in user (beware, not a real movie!)?}
235 volatility -f image2.vmem --profile=Win2008SP1x86 cmdscan
237 Volatility Foundation Volatility Framework 2.3.1
238 **************************************************
239 CommandProcess: csrss.exe Pid: 2076
240 CommandHistory: 0xe31160 Application: telnet.exe Flags: Allocated
241 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
242 FirstCommand: 0 CommandCountMax: 50
244 Cmd #31 @ 0xe2fa54: ?
245 Cmd #34 @ 0x76bca0a0: ????????????j???????
246 Cmd #35 @ 0x755c522e: ??????
247 Cmd #47 @ 0xe30001: ????
248 **************************************************
249 CommandProcess: csrss.exe Pid: 2076
250 CommandHistory: 0x83c32d8 Application: cmd.exe Flags: Allocated, Reset
251 CommandCount: 1 LastAdded: 0 LastDisplayed: 0
252 FirstCommand: 0 CommandCountMax: 50
254 Cmd #0 @ 0xe31050: telnet towel.blinkenlights.nl
259 \newpage\section{Details}
261 \subsubsection{image1.vmem (IMAGE1)}
264 \textbf{size}: 536870912 byte\\
265 \textbf{''file''-output}: data\\
266 \textbf{sha512}\\\ttfamily{
267 04f0be53b4c7bc0e316759ce69f9f21b6e06911a1b436b13d7764bbad6413a8e\\
268 aed62520286858fcee4c1af8e92c3791762b45d34ee215cca7da01b20b33d644}
271 \subsubsection{image2.vmem}
274 \textbf{size}: 536870912 byte\\
275 \textbf{''file''-output}: data\\
276 \textbf{sha512}\\\ttfamily{
277 68998034f90148e220d8b676826ca1b96777d48a3c6214cf0782f10b1cd3a437\\
278 71bd0e862c7cc2f13c491189b8c401c017baef32836a8e96f575c3c9b2d6755b}
281 \subsubsection{IMAGE1:/screenshots/session\_0.WinSta0.Default.png}
282 Screenshot extracted from \emph{\textbf{IMAGE1}} containing an outline of the Desktop and an error-message wehre DEP is closing Acrobat Reader.
284 \textbf{size}: 8081 byte\\
285 \textbf{''file''-output}: PNG image data1025 769 8-bit/color RGB, non-interlaced\\
286 \textbf{sha512}\\\ttfamily{
287 8097897b4793b416116876a0a8a827d54a56ac619ca7673a4f37851ebfdeaa03\\
288 05805f0395e9cd0a30ad1da212c3ce407a31b4ce5d049d20b94eefbd645b2ccf}
292 \subsection{Used tools on Host}
293 Tools that were used for analysis (-{}-version):
295 \item Volatility Foundation Volatility Framework 2.3.1
296 \item sha512sum (GNU coreutils) 8.22
297 \item ls (GNU coreutils) 8.22
302 \subsection{Machines}
304 \item \textbf{Host machine}\\
305 Linux rebx 3.14.0-gentoo-somenet.org \#1 SMP Sun Apr 6 01:00:17 CEST 2014 x86\_64 Intel(R) Core(TM)2 Duo CPU T9300 \@ 2.50GHz GenuineIntel GNU/Linux
SomeNet / public repos / pub / jan / digfor.git / blob