2 \newpage\section{Questions image1.vmem (5 points)}
3 \subsection{What information can you extract about the operating system?}
4 \ttfamily{volatility -f image1.vmem imageinfo}
6 Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
7 AS Layer1 : IA32PagedMemoryPae (Kernel AS)
8 AS Layer2 : FileAddressSpace (/home/jan/vmshare/digforRAM/image1.vmem)
12 Number of Processors : 1
13 Image Type (Service Pack) : 3
14 KPCR for CPU 0 : 0xffdff000
15 KUSER_SHARED_DATA : 0xffdf0000
16 Image date and time : 2011-11-30 11:14:10
17 Image local date and time : 2011-11-30 12:14:10 +0100
20 \subsection{What happened at the time of the RAM dump}
22 \ttfamily{volatility -f image1.vmem -{}-profile=WinXPSP2x86 pstree}
24 Name Pid PPid Thds Hnds Time
25 --------------------------------- ------ ------ ------ ------ ----
26 0x823c8830:System 4 0 56 252 1970-01-01 00:00:00
27 . 0x822224c8:smss.exe 552 4 3 19 2011-11-30 11:10:38
28 .. 0x822aaae0:csrss.exe 600 552 10 431 2011-11-30 11:10:39
29 .. 0x822479c0:winlogon.exe 624 552 24 522 2011-11-30 11:10:40
30 ... 0x8229db68:services.exe 676 624 15 259 2011-11-30 11:10:40
31 .... 0x821a23c0:VMUpgradeHelper 512 676 6 97 2011-11-30 11:10:54
32 .... 0x821e3260:alg.exe 1368 676 7 104 2011-11-30 11:10:56
33 .... 0x82293728:svchost.exe 1032 676 84 1552 2011-11-30 11:10:40
34 ..... 0x821a1650:wuauclt.exe 1132 1032 8 177 2011-11-30 11:10:54
35 ..... 0x821ea4c0:wscntfy.exe 1988 1032 1 39 2011-11-30 11:10:56
36 ..... 0x81e1cb08:wuauclt.exe 3560 1032 6 118 2011-11-30 11:11:55
37 .... 0x82100b28:svchost.exe 940 676 9 261 2011-11-30 11:10:40
38 .... 0x82096748:svchost.exe 1080 676 5 ------ 2011-11-30 11:10:40
39 .... 0x82225020:vmacthlp.exe 844 676 1 25 2011-11-30 11:10:40
40 .... 0x81ea1558:spoolsv.exe 1620 676 14 123 2011-11-30 11:10:42
41 .... 0x82228020:svchost.exe 860 676 19 204 2011-11-30 11:10:40
42 ..... 0x81dfa918:AcroRd32Info.ex 3728 860 7 149 2011-11-30 11:12:28
43 ..... 0x81e23878:wmiprvse.exe 992 860 5 189 2011-11-30 11:10:54
44 .... 0x8219d578:svchost.exe 1124 676 15 210 2011-11-30 11:10:41
45 .... 0x81e27da0:vmtoolsd.exe 252 676 6 222 2011-11-30 11:10:51
46 ... 0x820a3aa8:lsass.exe 688 624 24 362 2011-11-30 11:10:40
47 0x8220ac08:explorer.exe 1512 1460 16 424 2011-11-30 11:10:42
48 . 0x81e7d020:AdobeARM.exe 1796 1512 8 143 2011-11-30 11:10:43
49 . 0x81e7a2a0:ctfmon.exe 1804 1512 1 99 2011-11-30 11:10:43
50 . 0x822149f8:VMwareTray.exe 1752 1512 1 58 2011-11-30 11:10:43
51 . 0x81dc5958:AcroRd32.exe 3692 1512 4 161 2011-11-30 11:12:27
52 .. 0x8228c400:rundll32.exe 3968 3692 1 59 2011-11-30 11:14:06
53 . 0x81e67308:Netlogon.exe 3976 1512 1 14 2011-11-30 11:14:06
54 . 0x82203da0:VMwareUser.exe 1772 1512 6 211 2011-11-30 11:10:43
55 0x821fb3d8:svchost.exe 416 1828 4 138 2011-11-30 11:10:53
56 0x821d7da0:svchost.exe 3708 3632 5 144 2011-11-30 11:12:28
59 \ttfamily{volatility -f image1.vmem --profile=WinXPSP2x86 sockscan}
61 Offset(P) PID Port Proto Protocol Address Create Time
62 ---------- -------- ------ ------ --------------- --------------- -----------
63 0x02008008 1080 1033 17 UDP 0.0.0.0 2011-11-30 11:11:07
64 0x02009250 1368 1027 6 TCP 127.0.0.1 2011-11-30 11:10:56
65 0x02060460 4 137 17 UDP 192.168.187.130 2011-11-30 11:10:44
66 0x02062140 4 138 17 UDP 192.168.187.130 2011-11-30 11:10:44
67 0x0206c258 4 139 6 TCP 192.168.187.130 2011-11-30 11:10:44
68 0x02105e98 932 135 6 TCP 0.0.0.0 2011-11-30 11:05:07
69 0x02118c08 1092 1025 17 UDP 0.0.0.0 2011-11-29 13:44:23
70 0x0235b008 1032 123 17 UDP 192.168.187.130 2011-11-30 11:10:54
71 0x0235e570 4 1031 6 TCP 0.0.0.0 2011-11-30 11:10:57
72 0x0236e220 4 445 17 UDP 0.0.0.0 2011-11-30 11:10:37
73 0x02373338 4 0 47 GRE 0.0.0.0 2011-11-30 11:10:57
74 0x02385e98 688 4500 17 UDP 0.0.0.0 2011-11-30 11:10:52
75 0x0238a8e0 688 0 255 Reserved 0.0.0.0 2011-11-30 11:10:52
76 0x02396548 1032 123 17 UDP 127.0.0.1 2011-11-30 11:10:55
77 0x023e6e98 1124 1900 17 UDP 127.0.0.1 2011-11-30 11:10:56
78 0x023f2e98 688 500 17 UDP 0.0.0.0 2011-11-30 11:10:52
79 0x02408e98 1124 1900 17 UDP 192.168.187.130 2011-11-30 11:10:56
80 0x024650b0 940 135 6 TCP 0.0.0.0 2011-11-30 11:10:40
81 0x024a5970 4 445 6 TCP 0.0.0.0 2011-11-30 11:10:37
86 \subsection{Can you find traces of Malware?}
88 \item\emph{\textbf{rundll32.exe}} could hint that the system has been compromised, but no definite proof could be found.
89 \item\emph{\textbf{AcroRd32Info.ex(e)}} is also known to cause problems sometimes.
94 \newpage\section{Questions image2.vmem (5 points)}
95 \subsection{What information can you extract about the operating system?}
96 \ttfamily{volatility -f image2.vmem imageinfo}\
98 Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
99 AS Layer1 : IA32PagedMemoryPae (Kernel AS)
100 AS Layer2 : FileAddressSpace (/home/jan/vmshare/digforRAM/image2.vmem)
104 Number of Processors : 1
105 Image Type (Service Pack) : 1
106 KPCR for CPU 0 : 0x81afd800
107 KUSER_SHARED_DATA : 0xffdf0000
108 Image date and time : 2011-11-30 14:23:46
109 Image local date and time : 2011-11-30 15:23:46 +0100
112 \ttfamily{volatility -f image2.vmem -{}-profile=Win2008SP1x86 pstree}
114 Name Pid PPid Thds Hnds Time
115 --------------------------------- ------ ------ ------ ------ ----
116 0x84a802d0:csrss.exe 460 448 10 518 2011-11-30 14:03:24
117 0x84b7b020:wininit.exe 500 448 3 99 2011-11-30 14:03:25
118 . 0x844ba020:lsass.exe 600 500 16 562 2011-11-30 14:03:25
119 . 0x84bab020:services.exe 584 500 7 233 2011-11-30 14:03:25
120 .. 0x84ddba50:msdtc.exe 2176 584 14 174 2011-11-30 14:03:49
121 .. 0x84d851c8:svchost.exe 1032 584 42 786 2011-11-30 14:03:30
122 ... 0x84e252c8:taskeng.exe 1920 1032 7 137 2011-11-30 14:03:41
123 ... 0x84511248:taskeng.exe 2504 1032 15 318 2011-11-30 14:03:59
124 .. 0x84506188:SearchIndexer.e 2028 584 18 756 2011-11-30 14:03:46
125 ... 0x84291150:SearchProtocolH 3804 2028 6 318 2011-11-30 14:05:05
126 ... 0x842b0758:SearchFilterHos 3828 2028 3 90 2011-11-30 14:05:05
127 ... 0x842b2070:SearchProtocolH 3868 2028 5 283 2011-11-30 14:05:06
128 .. 0x84e4c688:svchost.exe 1296 584 19 378 2011-11-30 14:03:31
129 .. 0x84e27ce8:dllhost.exe 1796 584 18 256 2011-11-30 14:03:47
130 .. 0x84dc0b68:VSSVC.exe 2392 584 5 127 2011-11-30 14:03:55
131 .. 0x843ead90:VMwareService.e 1316 584 7 226 2011-11-30 14:03:45
132 .. 0x84cc2158:svchost.exe 1224 584 20 583 2011-11-30 14:03:31
133 .. 0x84c7bd90:svchost.exe 824 584 7 285 2011-11-30 14:03:30
134 .. 0x84d1d4a8:dllhost.exe 1356 584 20 195 2011-11-30 14:03:46
135 .. 0x84d85d90:spoolsv.exe 1488 584 18 311 2011-11-30 14:03:31
136 .. 0x844a6020:svchost.exe 1016 584 33 455 2011-11-30 14:03:30
137 ... 0x84e92020:dwm.exe 2864 1016 3 63 2011-11-30 14:04:16
138 .. 0x84d99540:svchost.exe 1108 584 5 122 2011-11-30 14:03:30
139 .. 0x84488020:svchost.exe 856 584 15 377 2011-11-30 14:03:30
140 .. 0x84e753f0:svchost.exe 1444 584 4 43 2011-11-30 14:03:46
141 .. 0x84da2440:svchost.exe 988 584 24 362 2011-11-30 14:03:30
142 ... 0x84d70440:audiodg.exe 1084 988 6 110 2011-11-30 14:03:30
143 .. 0x84d8da20:svchost.exe 1512 584 31 302 2011-11-30 14:03:31
144 .. 0x84d94c40:SLsvc.exe 1132 584 5 86 2011-11-30 14:03:30
145 .. 0x84e41020:svchost.exe 496 584 6 123 2011-11-30 14:03:45
146 .. 0x84c8f278:svchost.exe 760 584 6 294 2011-11-30 14:03:30
147 ... 0x842c37d0:WmiPrvSE.exe 536 760 7 139 2011-11-30 14:23:39
148 . 0x84b84020:lsm.exe 608 500 10 162 2011-11-30 14:03:25
149 0x84d83a58:explorer.exe 2884 2856 31 633 2011-11-30 14:04:16
150 . 0x845108f8:cmd.exe 3576 2884 1 18 2011-11-30 14:04:46
151 .. 0x84287d90:telnet.exe 3968 3576 3 92 2011-11-30 14:05:14
152 . 0x844d4858:MSASCui.exe 2992 2884 11 314 2011-11-30 14:04:18
153 . 0x84e0e528:VMwareUser.exe 3008 2884 6 192 2011-11-30 14:04:18
154 . 0x84d4cd90:sidebar.exe 3076 2884 9 267 2011-11-30 14:04:18
155 . 0x844c4d90:VMwareTray.exe 3000 2884 1 56 2011-11-30 14:04:18
156 0x82db0790:System 4 0 100 501 2011-11-30 14:02:51
157 . 0x844913f8:smss.exe 396 4 4 28 2011-11-30 14:03:23
158 0x84e3fb80:csrss.exe 2076 2068 9 237 2011-11-30 14:03:48
159 0x843765a8:winlogon.exe 2100 2068 4 123 2011-11-30 14:03:48
163 Offset(P) Proto Local Address Foreign Address State Pid Owner Created
164 0x1dcd41d8 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 988 svchost.exe
165 0x1dd0b100 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 988 svchost.exe
166 0x1dd0b100 TCPv6 :::49153 :::0 LISTENING 988 svchost.exe
167 0x1de7de10 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 1032 svchost.exe
168 0x1ded9488 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 824 svchost.exe
169 0x1def6a60 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System
170 0x1def6a60 TCPv6 :::445 :::0 LISTENING 4 System
171 0x1df3c250 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 500 wininit.exe
172 0x1df3c250 TCPv6 :::49152 :::0 LISTENING 500 wininit.exe
173 0x1df46008 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 824 svchost.exe
174 0x1df46008 TCPv6 :::135 :::0 LISTENING 824 svchost.exe
175 0x1df4d920 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 1032 svchost.exe
176 0x1df4d920 TCPv6 :::49154 :::0 LISTENING 1032 svchost.exe
177 0x1df86858 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 500 wininit.exe
178 0x1e69b678 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 600 lsass.exe
179 0x1e69b678 TCPv6 :::49155 :::0 LISTENING 600 lsass.exe
180 0x1e69bf60 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 600 lsass.exe
181 0x1e6bf288 TCPv4 192.168.187.132:139 0.0.0.0:0 LISTENING 4 System
182 0x1e6fd008 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 584 services.exe
183 0x1e6fd008 TCPv6 :::49156 :::0 LISTENING 584 services.exe
184 0x1e98b358 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 584 services.exe
185 0x1e711a68 TCPv4 192.168.187.132:49158 94.142.241.111:23 ESTABLISHED 3968 telnet.exe
186 0x1dc22c08 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2011-11-30 14:03:45
187 0x1dc22c08 UDPv6 :::0 *:* 1032 svchost.exe 2011-11-30 14:03:45
188 0x1dc463f8 UDPv4 0.0.0.0:500 *:* 1032 svchost.exe 2011-11-30 14:03:45
189 0x1dc463f8 UDPv6 :::500 *:* 1032 svchost.exe 2011-11-30 14:03:45
190 0x1dc80008 UDPv4 0.0.0.0:5355 *:* 1296 svchost.exe 2011-11-30 14:04:10
191 0x1dc80008 UDPv6 :::5355 *:* 1296 svchost.exe 2011-11-30 14:04:10
192 0x1dd0c4e8 UDPv4 0.0.0.0:500 *:* 1032 svchost.exe 2011-11-30 14:03:45
193 0x1dd0c800 UDPv4 0.0.0.0:4500 *:* 1032 svchost.exe 2011-11-30 14:03:45
194 0x1de98d60 UDPv4 0.0.0.0:0 *:* 496 svchost.exe 2011-11-30 14:03:45
195 0x1df237b0 UDPv4 0.0.0.0:123 *:* 1224 svchost.exe 2011-11-30 14:04:07
196 0x1df237b0 UDPv6 :::123 *:* 1224 svchost.exe 2011-11-30 14:04:07
197 0x1df89910 UDPv4 192.168.187.132:137 *:* 4 System 2011-11-30 14:03:44
198 0x1dfb03f0 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2011-11-30 14:03:45
199 0x1e151008 UDPv4 0.0.0.0:5355 *:* 1296 svchost.exe 2011-11-30 14:04:10
200 0x1e607380 UDPv4 0.0.0.0:0 *:* 496 svchost.exe 2011-11-30 14:03:45
201 0x1e607380 UDPv6 :::0 *:* 496 svchost.exe 2011-11-30 14:03:45
202 0x1e60f390 UDPv4 192.168.187.132:138 *:* 4 System 2011-11-30 14:03:44
203 0x1e62a008 UDPv4 0.0.0.0:0 *:* 1224 svchost.exe 2011-11-30 14:03:46
204 0x1e6c9008 UDPv4 0.0.0.0:123 *:* 1224 svchost.exe 2011-11-30 14:04:07
205 0x1e6f2368 UDPv4 0.0.0.0:0 *:* 1296 svchost.exe 2011-11-30 14:04:10
206 0x1e6f2368 UDPv6 :::0 *:* 1296 svchost.exe 2011-11-30 14:04:10
207 0x1e96d4b8 UDPv4 0.0.0.0:0 *:* 1224 svchost.exe 2011-11-30 14:03:46
208 0x1e96d4b8 UDPv6 :::0 *:* 1224 svchost.exe 2011-11-30 14:03:46
211 \subsection{What users are there on the system? Extract the password
212 hashes and passwords.}
213 volatility -f image2.vmem --profile=Win2008SP1x86 hashdump -s 0x94cdb6a8 -y 0x86224008
215 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
216 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
217 Vista:1000:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
218 Bob:1001:aad3b435b51404eeaad3b435b51404ee:878d8014606cda29677a44efa1353fc7:::
219 Alice:1002:aad3b435b51404eeaad3b435b51404ee:5835048ce94ad0564e29a924a03510ef:::
220 Eve:1003:aad3b435b51404eeaad3b435b51404ee:4d55663e41abd66cf17584c9c9f7c86c:::
223 \subsection{What "movie" was watched by the logged in user (beware, not a real movie!)?}
224 volatility -f image2.vmem --profile=Win2008SP1x86 cmdscan
226 Volatility Foundation Volatility Framework 2.3.1
227 **************************************************
228 CommandProcess: csrss.exe Pid: 2076
229 CommandHistory: 0xe31160 Application: telnet.exe Flags: Allocated
230 CommandCount: 0 LastAdded: -1 LastDisplayed: -1
231 FirstCommand: 0 CommandCountMax: 50
233 Cmd #31 @ 0xe2fa54: ?
234 Cmd #34 @ 0x76bca0a0: ????????????j???????
235 Cmd #35 @ 0x755c522e: ??????
236 Cmd #47 @ 0xe30001: ????
237 **************************************************
238 CommandProcess: csrss.exe Pid: 2076
239 CommandHistory: 0x83c32d8 Application: cmd.exe Flags: Allocated, Reset
240 CommandCount: 1 LastAdded: 0 LastDisplayed: 0
241 FirstCommand: 0 CommandCountMax: 50
243 Cmd #0 @ 0xe31050: telnet towel.blinkenlights.nl
248 \newpage\section{Details}
250 \subsubsection{image1.vmem}
253 \textbf{size}: 536870912 byte\\
254 \textbf{''file''-output}: data\\
255 \textbf{sha512}\\\ttfamily{
256 04f0be53b4c7bc0e316759ce69f9f21b6e06911a1b436b13d7764bbad6413a8e\\
257 aed62520286858fcee4c1af8e92c3791762b45d34ee215cca7da01b20b33d644}
260 \subsubsection{image2.vmem}
263 \textbf{size}: 536870912 byte\\
264 \textbf{''file''-output}: data\\
265 \textbf{sha512}\\\ttfamily{
266 68998034f90148e220d8b676826ca1b96777d48a3c6214cf0782f10b1cd3a437\\
267 71bd0e862c7cc2f13c491189b8c401c017baef32836a8e96f575c3c9b2d6755b}
271 \subsection{Used tools on Host}
272 Tools that were used for analysis (-{}-version):
274 \item Volatility Foundation Volatility Framework 2.3.1
275 \item sha512sum (GNU coreutils) 8.22
276 \item ls (GNU coreutils) 8.22
281 \subsection{Machines}
283 \item \textbf{Host machine}\\
284 Linux rebx 3.14.0-gentoo-somenet.org \#1 SMP Sun Apr 6 01:00:17 CEST 2014 x86\_64 Intel(R) Core(TM)2 Duo CPU T9300 \@ 2.50GHz GenuineIntel GNU/Linux