Lab 6: Memory and Search Tools
When you're done with this lab you will have done the following things:
- Compare and search for files using hashing tools
- Performed keyword searches through file contents (to find specific words or patterns)
- Read about how to capture volatile memory from a live system and search it for keywords.
- Analyzed a system memory image to retrieve and analyze various information about the configuration and operation of a running system.
Throughout this entire lab (and this course), this web site assumes you are using the RHIT-supplied image of Windows and that you're working in partners out of the Digital Forensics Workbook (Michael K. Robinson).
Expectations
Keep in mind as you work on this lab that your efforts must be Repeatable and Reproducible.
Document your steps as you do them. At the end of each part (chapter), be sure to update your lab notebook with a short summary or conclusion, then sign and date it.
When you acquire evidence or artifacts, you must document:
- What the evidence item is (e.g., usb drive or a file)
- Where the evidence came from
- How the evidence was acquired
Chapter 8: Hashing
Read chapter 8 and follow the instructions it contains.
You can obtain the File_Hashing_*.zip
files (1,2,3) and the *.E01
files from the mirror.
Do activity 8-1
NOTE: You may have to click and browse if dragging doesn't work.
Do the additional exercises in 8-1
2.a. should read "Which pairs of files are exact matches for each other?"
Do activity 8-2
Do the additional exercises in 8-2
Do activity 8-3
Do activity 8-4
Step 2: We've already created a file with the hashes in it for you. Get it from the mirror
Step 12: The "Advanced" button may say "Global Settings" instead.
Do the additional exercises in 8-4
- Step 2: We've already created a file with the hashes in it for you. Get it from the mirror
Chapter 16: Grep Searches
Read chapter 16 and follow the instructions it contains.
You can obtain Logfiles.zip
from the mirror.
Do activity 16-1
Document any differences in your findings from the book's.
Do the additional exercises a-c in 16-1
Chapter 21: Memory Acquisition and Analysis
Read the intro to chapter 21.
Read activity 21-1
Don't do this activity unless you have a big enough USB drive. Just read through it.
Read activity 21-2
Don't do this activity unless you have a big enough USB drive. Just read through it.
DO activity 21-3
You can obtain memory.img
from the mirror. It is called memory.zip
. WARNING: it is 1GB, and is a ZIP file that requires decompression.
Step 9 suggests the wrong command. It should read:
volatility-2.4.standalone.exe -f memory.img --profile=Win7SP1x64 pslist
the figure is correct.
Step 15 suggests the wrong command. It should read:
volatility-2.4.standalone.exe -f memory.img --profile=Win7SP1x64 dlllist > text.txt
Step 19 references a flash drive, but we aren't using one. Create a folder called
C:\dump
and use that:volatility-2.4.standalone.exe -f memory.img --profile=Win7SP1x64 dlldump --pid=340 --dump-dir C:\dump
Step 21 suggests the wrong command. It should read:
volatility-2.4.standalone.exe -f memory.img --profile=Win7SP1x64 netscan
Skip the additional exercises in 21-3
(Unless you want to do them. The additional downloads are smaller than memory.img
and are on the mirror.)
Finishing This Lab
When you're done with this lab, read over your lab notebook and ensure you've properly documented what you've done and with what you've worked.
Submit your lab write-up for grading (to moodle in PDF format) when you are done with the lab.