Part 1 | Part 3 | Part 4 | Part 5
See Appendix C for details regarding the creation of Preservation and Working copies. The Working Copy was used for all analysis.
Prior to reinstalling the machine it was powered on so that a visual can be had of the environment. At this point, nothing stood out or “popped” up on the screen. With the exception of logging in and executing the “dumpit.exe” memory acquisition tool, no other interaction was done with the system. The “dumpit.exe” tool was used to write the contents of memory to a USB drive. The next step was to create a “.zip” file of the acquired memory image, using “WinRar”. Upon completion, the “fciv.exe” tool was used to obtain a MD5 hash of the acquired image. This hash was stored in a text file on the USB drive.
The acquired memory image was then transferred to the analysis machine. After the file was copied, “md5sum” was performed on the image. The computed hash matched that of the original.
Figure 1:shows hash being verified and the file extracted with unrar
Identifying the image
While it was mentioned that the system was running Windows 7 and because not much interaction was performed with the system, the first step was to verify the memory image to obtain information about the operating system (OS). By executing the command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose imageinfo --kdbg=0xf6fc0001a0f0 --dbt=0x187000 --profile=Win7SP1x64” the examiner was able to determine that the system was running 64 bit Windows 7 Service Pack 1.
Figure 2: Above shows the operating system as Windows 7 Service Pack 1
Verifying Install Date
Because of her concern that the system is slow, the decision was taken to determine the date the computer OS was installed. To achieve this, the command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 printkey --hive-offset=0xfffff8a0008d2410 --key="Microsoft\Windows NT\CurrentVersion" > install-date.txt” was executed. Next the command “cat install-date.txt” was executed. The date had a value of “1315321263”.
Figure 3:Above shows the highlighted time in epoch.
When the value was converted using epochconverter.com it reported an install date of “Tue, 06 Sep 2011 15:01:03 GMT”.
Figure 4:Time converted from epoch to human readable
Identifying Network Connections
As no manual effort was made to establish Internet activity, the first step was to look at the list of network connections using the command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 netscan > netscan-results.txt”. Next the command “cat netscan-results.txt” was executed.
From the results the items of interest were
0x13301fcf0 TCPv4 -:49501 18.104.22.168:80 CLOSED 1324 svchost.exe
0x133ac8010 TCPv4 -:0 22.214.171.124:0 CLOSED 1 ?8A????
0x134ee5010 TCPv4 192.168.0.38:49498 126.96.36.199:80 ESTABLISHED 1056 svchost.exe
0x13749dc00 TCPv4 -:49502 188.8.131.52:80 CLOSED 1956 avp.exe
These IPs were considered interesting because they were associated with externals resources. While the first two addresses were not seen within the Virus Total database, the third and fourth were known to Virus total and had a number of malicious URLs associated with them.
Other posts in this series
Volatility Memory Forensics - Investigation a potential virus situation - Part1
Volatility Memory Forensics - Investigation a potential virus situation - Part2
Volatility Memory Forensics - Investigation a potential virus situation - Part3
Volatility Memory Forensics - Investigation a potential virus situation - Part4
Volatility Memory Forensics - Investigation a potential virus situation - Part5