Cyber Range Lab Assignment Report 12

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

500-C

Subject

Industrial Engineering

Date

Jan 9, 2024

Type

docx

Pages

9

Uploaded by ericbraxton8

Report
IST 894 Capstone Experience Cyber Range Lab Assignment Report 12 Page 1 of 9
Table of Contents 1.0 Introduction ........................................................................................................................................ 3 2.0 General Context .................................................................................................................................. 3 3.0 Technical Context ............................................................................................................................... 4 4.0 Solution .............................................................................................................................................. 5 5.0 Activity Log ......................................................................................................................................... 9 6.0 References .......................................................................................................................................... 9 Page 2 of 9
1.0 Introduction In this lab, I will utilize the “Introduction to Forensics” environment within the U.S. Cyber Range. This lab exercise will provide hands on experience with system memory dumps that can be relevant to forensic investigations and will become familiar with the tools and techniques for analyzing memory images. 2.0 General Context In this lab exercise, I utilized the U.S. Cyber Range, which provides an environment for educators, industry, and others to allow for hands-on cybersecurity training and education to increase the number of skilled cybersecurity experts across all sectors ( U.S. Cyber Range , 2020). Inside the lab environment, I used a VM running the SANS SIFT Linux distribution to analyze memory images from a Windows Vista workstation. Once I was successfully logged into the virtual environment, I was set to examine the provided memory image. First, I changed directories to the location of the image file. I utilized a tool called Volatility, which is an open-source software for analyzing RAM in 32 and 64-bit systems. It supports Linux, Windows, Mac, and Android systems – and its Python based. Volatility is best used for analyzing raw dumps, crash dumps, VMware dumps, etc. ( Digital Forensics , 2018). To utilize Volatility, you must first set a profile to let the application know what operating system the dump came from, which was Windows Vista in this scenario. I first started with the application by browsing through the help menu to get a better understanding of the capabilities of the applications and the syntax to run the program. Once I was comfortable with the syntax, I was ready to take a deeper dive in the application and start analyzing the Windows Vista dump. The first command I issued was to let me know the operating system and service pack of the dump. I then ran a command to view the processes that were running at the time of the dump. I was also able to view processes that were previously hidden or terminated because of malware. Volatility is a powerful tool if used accurately in a forensics investigation. I also ran several commands that let me know the users that were on the Windows Vista workstation, the Page 3 of 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
service pack installed, the process that is listening on a specific port, which users executed a malicious application, where that application originated from, down to the password hashes of the individual users. 3.0 Technical Context For this lab, I utilized the U.S. Cyber Range to get hands-on training, which provides an environment for educators, industry, and others to allow for hands-on cybersecurity training and education to increase the number of skilled cybersecurity experts across all sectors ( U.S. Cyber Range , 2020). Inside the lab environment, I used a virtual machine running the SANS SIFT Linux distribution to analyze memory images from a Windows Vista workstation. Once I was successfully logged into the virtual environment, I was set to examine the provided memory image. Once I was in the appropriate directory, I utilized Volatility, which is an open-source software for analyzing RAM in 32 and 64-bit systems. It supports Linux, Windows, Mac, and Android systems – and its Python based. Volatility is best used for analyzing raw dumps, crash dumps, VMware dumps, etc. ( Digital Forensics , 2018). To utilize Volatility properly, you must first create a profile to let it know which operating system the dump came from, which was Windows Vista in this lab. The CLI offers a -h option that allows me to view all of the options for running vol.py (Volatility), which was very beneficial to learn the syntax and the various commands to run and when to use them. Analyzing physical memory dumps helps find bugs, viruses, and can be useful for improving system performance and collecting evidence of cyber crimes, all of which were performed throughout this lab ( Apriorit , 2020). Once I felt comfortable with the syntax after browsing the help menu, I started to analyze the Windows Vista dump. The first command I issued ended with imageinfo, which provides the operating system and service pack. Next, I executed the command pslist, which lets you know what processes were actively running at the time of the dump. This was interesting because it sorts the processes by date, with the most recent processes listed at the top. Next, I ran psscan, which also looks at the running processes, but this command shows the hidden or terminated processes that were ended by malware, namely rootkits. Volatility also offers a wide array of other tools to assist with a forensics investigation. Page 4 of 9
Other commands that I ran were hashdump, which provides a list of usernames and SIDs from the Windows Vista workstation, netscan was ran to let me know which process is listening on port 49155. I also ran the command consoles, which let me know that a malicious application called nc.exe was executed by a particular user and provided the time stamp and directory where the application was executed from. Hashdump was the last command that executed, which let me know the different password hashes for each individual user on the Windows Vista workstation. Overall, Volatility consists of over 35 plugins that is useful to assist with memory forensics and digital investigations ( Opensource , 2016). 4.0 Solution Initial Setup: I started the lab by first logging into the “Introduction to Forensics” VM on the US Cyber Range. I used the following credentials to logon. Username: sansforensics Password: forensics Tasks: I started the lab by first examining the provided memory image. I navigated to the 02_Memory-Image directory by using the command cd /home/sansforensics/Desktop/cases/02_Memory-Image. Once I was in the appropriate directory, I ran the command ls -l to confirm that WindowsVista_0401.tar.gz was present. In the next step I am learning a bit more about the machine that the image was captured from. I used the command vol.py -f WindowsVista_0401.vmem imageinfo to help me examine the kernel debugging data block (KDBG), which tells me the operating system and service pack. Page 5 of 9
Once the operating system and service pack is known, I wanted to know more about the processes that were running, so I ran the command vol.py -f WindowsVista_0401.vmem –-profile=VistaSP2x86 pslist . The list of processes is sorted so that running processes are on top, which the recently closed ones are on the bottom. Malware rootkits can manipulate the linked list to hide processes. Typically, this is not used by the kernel scheduler to change context and execute processes. So, once a method is used by rootkits to hide processes it unlinks the process from the active process list. The rootkit will then hide the process once it is unlinked. PSSCAN allows you to find processes that were previously terminated or hidden by a rootkit. vol.py -f WindowsVista_0401.vmem –-profile=VistaSP2x86 psscan is the command that I used. Page 6 of 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
I used the hashdump command to see the users on the Windows Vista machine. Administrator, Guest, Jane Smith, and Tom Jones were the users on the workstation. I used the following command to extract this information, vol.py -f WindowsVista_0401.vmem –-profile=VistaSP2x86 hashdump The service pack number installed on the Windows Vista workstation is Service Pack 2. I ran the command vol.py -f WindowsVista_0401.vmem imageinfo to get that information. Port 49155 is listening for service lsass.exe. I used the netscan command to obtain this information. Page 7 of 9
NC.exe was edited in Cmd #8 below by PID 532. NC.exe was executed by Jane Smith on 4/1/2016 at 2:02 PM from the C:\Users\Jane Smith\Desktop\ netcat-1.11 directory. I used the consoles command to extract this information. Using the command hashdump , it will provide all the hashes for the users associated with the machine. Page 8 of 9
5.0 Activity Log 5.1 - Member Log Member Name Task Date Task Details Eric Braxton 11/25/2021 Completed all lab steps and lab report. 6.0 References https://resources.infosecinstitute.com/topic/memory-forensics-and-analysis-using-volatility/ https://www.opensourceforu.com/2016/10/volatility/ https://www.apriorit.com/dev-blog/662-cybersecurity-using-volatility-framework-for-analyzing- physical-memory-dumps U.S. Cyber Range (2020). About the U.S. Cyber Range. Retrieved on 14 October 2021 from https://www.uscyberrange.org/about Page 9 of 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

engagement 7 Ecology.docx
Stream Lab, EES-152 Final data analysis.docx
2231-APS145-Quiz2 - AB - Answer.pdf
IEGR 367 - Report for service design.docx
Cyber Range Lab Assignment Report 10.docx
Cyber Range Lab Assignment Report 11.docx
Cyber Range Lab Assignment Report 3.docx
nrf top 100 retail list 2022 assignment - miller.docx
Cyber Range Lab Assignment Report 2.docx
IST554-Lab1-team1 v2.docx
Woolworths Benchmark Award 2022.docx
Screenshot 2023-09-11 at 12.17.42 AM.png