Lab 6: Memory and Search Tools

When you're done with this lab you will have done the following things:

Compare and search for files using hashing tools
Performed keyword searches through file contents (to find specific words or patterns)
Read about how to capture volatile memory from a live system and search it for keywords.
Analyzed a system memory image to retrieve and analyze various information about the configuration and operation of a running system.

Throughout this entire lab (and this course), this web site assumes you are using the RHIT-supplied image of Windows and that you're working in partners out of the Digital Forensics Workbook (Michael K. Robinson).

Expectations

Details about expectations for your lab book are available in the previous labs.

Keep in mind as you work on this lab that your efforts must be Repeatable and Reproducible.

Document your steps as you do them. At the end of each part (chapter), be sure to update your lab notebook with a short summary or conclusion, then sign and date it.

When you acquire evidence or artifacts, you must document:

What the evidence item is (e.g., usb drive or a file)
Where the evidence came from
How the evidence was acquired

Chapter 8: Hashing

Read chapter 8 and follow the instructions it contains.

You can obtain the File_Hashing_*.zip files (1,2,3) and the *.E01 files from the mirror.

Do activity 8-1

NOTE: You may have to click and browse if dragging doesn't work.

Do the additional exercises in 8-1

2.a. should read "Which pairs of files are exact matches for each other?"

Do activity 8-2

Do the additional exercises in 8-2

Do activity 8-3

Do activity 8-4

Step 2: We've already created a file with the hashes in it for you. Get it from the mirror
Step 12: The "Advanced" button may say "Global Settings" instead.

Do the additional exercises in 8-4

Step 2: We've already created a file with the hashes in it for you. Get it from the mirror

Chapter 16: Grep Searches

Read chapter 16 and follow the instructions it contains.

You can obtain Logfiles.zip from the mirror.

Do activity 16-1

Document any differences in your findings from the book's.

Do the additional exercises a-c in 16-1

Chapter 21: Memory Acquisition and Analysis

Read the intro to chapter 21.

Read activity 21-1

Don't do this activity unless you have a big enough USB drive. Just read through it.

Read activity 21-2

Don't do this activity unless you have a big enough USB drive. Just read through it.

DO activity 21-3

You can obtain memory.img from the mirror. It is called memory.zip. WARNING: it is 1GB, and is a ZIP file that requires decompression.

Step 9 suggests the wrong command. It should read:

volatility-2.4.standalone.exe -f memory.img --profile=Win7SP1x64 pslist

the figure is correct.

Step 15 suggests the wrong command. It should read:

volatility-2.4.standalone.exe -f memory.img --profile=Win7SP1x64 dlllist > text.txt

Step 19 references a flash drive, but we aren't using one. Create a folder called C:\dump and use that:

volatility-2.4.standalone.exe -f memory.img --profile=Win7SP1x64 dlldump --pid=340 --dump-dir C:\dump

Step 21 suggests the wrong command. It should read:

volatility-2.4.standalone.exe -f memory.img --profile=Win7SP1x64 netscan

Skip the additional exercises in 21-3

(Unless you want to do them. The additional downloads are smaller than memory.img and are on the mirror.)

Finishing This Lab

When you're done with this lab, read over your lab notebook and ensure you've properly documented what you've done and with what you've worked.

Submit your lab write-up for grading (to moodle in PDF format) when you are done with the lab.