Part 1 | Part 3 | Part 4 | Part 5
Analysis
See Appendix C for details regarding the creation of
Preservation and Working copies. The Working Copy was used for all analysis.
Prior to reinstalling the machine it was powered on so that
a visual can be had of the environment. At this point, nothing stood out or
“popped” up on the screen. With the exception of logging in and executing the
“dumpit.exe” memory acquisition tool, no other interaction was done with the
system. The “dumpit.exe” tool was used to write the contents of memory to a USB
drive. The next step was to create a “.zip” file of the acquired memory image,
using “WinRar”. Upon completion, the “fciv.exe” tool was used to obtain a MD5 hash
of the acquired image. This hash was stored in a text file on the USB drive.
The acquired memory image was then transferred to the
analysis machine. After the file was copied, “md5sum” was performed on the
image. The computed hash matched that of the original.
Figure 1:shows hash being verified and the file
extracted with unrarVolatility
Identifying the image
While it was mentioned that the system was running Windows 7
and because not much interaction was performed with the system, the first step
was to verify the memory image to obtain information about the operating system
(OS). By executing the command “vol.py
--filename=./ALYSSA-PC-20150905-001215.raw --verbose imageinfo
--kdbg=0xf6fc0001a0f0 --dbt=0x187000 --profile=Win7SP1x64” the examiner was
able to determine that the system was running 64 bit Windows 7 Service Pack 1.
Figure 2: Above shows the operating system as
Windows 7 Service Pack 1
Verifying Install Date
Because of her concern that the system is slow, the decision was taken to determine the date the computer OS was installed. To achieve this, the command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 printkey --hive-offset=0xfffff8a0008d2410 --key="Microsoft\Windows NT\CurrentVersion" > install-date.txt” was executed. Next the command “cat install-date.txt” was executed. The date had a value of “1315321263”.
Figure 3:Above shows the highlighted time in epoch.
When the value was converted using epochconverter.com it
reported an install date of “Tue, 06 Sep 2011 15:01:03 GMT”.
Figure 4:Time converted from epoch to human readable
Identifying Network Connections
As no manual effort was made to establish Internet activity,
the first step was to look at the list of network connections using the command
“vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose
--kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 netscan >
netscan-results.txt”. Next the command “cat netscan-results.txt” was executed.
From the results the items of interest were
0x13301fcf0
TCPv4 -:49501 209.148.192.43:80 CLOSED 1324 svchost.exe
0x133ac8010
TCPv4 -:0 168.211.9.8:0 CLOSED 1 ?8A????
0x134ee5010
TCPv4 192.168.0.38:49498 208.111.170.136:80 ESTABLISHED 1056
svchost.exe
0x13749dc00
TCPv4 -:49502 108.162.232.204:80 CLOSED 1956 avp.exe
These IPs were considered interesting because they were
associated with externals resources. While the first two addresses were not
seen within the Virus Total database, the third and fourth were known to Virus
total and had a number of malicious URLs associated with them.
Other posts in this series
Volatility Memory Forensics - Investigation a potential virus situation - Part1
Volatility Memory Forensics - Investigation a potential virus situation - Part2
Volatility Memory Forensics - Investigation a potential virus situation - Part3
Volatility Memory Forensics - Investigation a potential virus situation - Part4
Volatility Memory Forensics - Investigation a potential virus situation - Part5
No comments:
Post a Comment