LAB9_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi

docx

School

University of Maryland, University College *

*We aren’t endorsed by this school

Course

640

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

16

Uploaded by joespady4u25

Report
Name: XXXXX Semester: Summer Year: 2023 Section Number: 7621 Lab 9 Worksheet Digital Forensics Technology and Practices Table of Contents Introduction ............................................................................................................................................................... 2 Screenshot 1 – Ping of YOURNAME ........................................................................................................................... 3 Screenshot 2 –Yourname-IR Volume Label for the D: Drive ....................................................................................... 4 Screenshot 3 – Yourname as the Incident Responder ................................................................................................ 5 Screenshot 4 – Yourname as the Incident Responder with Date and Time ................................................................ 6 Screenshot 5 – Psinfo Command Displaying Yourname ............................................................................................. 7 Screenshot 6 – System Information Displaying Yourname ......................................................................................... 8 Screenshot 7 – The MD5 and SHA1 hashes of your MYIRTEXT.TXT file ...................................................................... 9 Screenshot 8 – Creating a Yourname RAM Dump File .............................................................................................. 10 Screenshot 9 – Using Dir to Display Yourname RAM Dump File ............................................................................... 11 Screenshot 10 – The MD5 and SHA1 hashes of yourname RAM Dump file ............................................................. 12 Conclusion ............................................................................................................................................................... 13 APA References ........................................................................................................................................................ 14 1
Introduction Students: In the box below, please explain the purpose of doing this lab below and explain how it is relevant to Computer Forensics. Introduction The goal of Lab 9 was to do memory forensics utilizing tools to examine volatile data artifacts such as network connections and active processes, parse a RAM snapshot to identify artifacts, and utilize hashing to confirm data integrity. psinfo, volatility, pslist, and tcpcvon are among the commands used in this lab. In order to ensure that pertinent volatile data is captured before it is lost, memory forensics is essential while conducting computer forensics. Volatile data includes cache, RAM, and system files and is often only stored for a brief period while a computer is operating and would be lost if the device was shut off (Raap, 2020). Memory forensics is when an investigator conducts activity to capture the running memory of a device and then analyzes the output data to identify malicious software (Fox, 2021). When conducting memory forensics, it’s important to understand that it is unlike conducting hard disk forensics in that the investigation focuses on processes that were running when the memory dump was captured, information that would be lost with just a 1 for 1 copy (Fox, 2021). There are various ways that an investigator can obtain memory forensics which include RAW formatting, crash dumping, hibernation files, page files, and a VMWare snapshot (Messina, 2019). The command line tools used in Lab 9 will give incident responders knowledge about the services active on the device. Investigators can quickly determine the active processes on the device using the pslist command ("First Steps to Volatile Memory Analysis", 2019). The volatility tool or plugin is one of the best resources to use while conducting memory forensics. In both 32-bit and 64-bit systems, volatility enables incident responders to evaluate RAM (Balapure, 2018). Volatility is compatible with a wide range of systems, including Linux, Windows, Mac, and Android ones (Balapure, 2018). There are a variety of commands that may be used with volatility to carry out various tasks, including inspecting active processes, locating kernel specifications, finding dormant or hidden processes, and viewing DLL dumps (Balapure, 2018). Memory forensics is crucial because essential artifacts that would not be present in a hard disk image might be found in memory, and certain 2
malware is engineered to leave no traces on the hard drive. 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Screenshot 1 – Ping of YOURNAME 1. Ping yourname, where yourname is your first name. Take a screenshot of the ping which is using the IPv6 lookback address of ::1. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of the Ping of yourname (IPv6 loopback) Image 1: Screenshot of the Ping of my name (IPv6 loopback) 4
Screenshot 2 –Yourname-IR Volume Label for the D: Drive 2. Label the D: drive, Yourname-IR, where yourname is your first name. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of the D: Drive labeled with Yournams-IR Image 2: Screenshot of the D: Drive labeled with Kwadwo-IR 5
Screenshot 3 – Yourname as the Incident Responder 3. Add your name to the Incident Response text file. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of yourname as the Incident Responder Image 3: Screenshot o f my name as the Incident Responder 6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Screenshot 4 – Yourname as the Incident Responder with Date and Time 4. In addition to your name, add the date and time to the Incident Response text file. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of yourname as the Incident Responder with the Date and Time Image 4: Screenshot of my name as the Incident Responder with the Date and Time 7
Screenshot 5 – Psinfo Command Displaying Yourname 5. Redirect the psinfo command to the incident response text file. Your name from the computer name will be displayed. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of using the psinfo command showing your name for the Computer Name Image 5: screenshot of using the psinfo command showing my name for the Computer Name 8
Screenshot 6 – System Information Displaying Yourname 6. The System Information in the incident response text file will display your name from the computer name. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of System Information in the incident response text file displaying your name 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Screenshot 7 – The MD5 and SHA1 hashes of your MYIRTEXT.TXT file. 7. Take a screenshot of the yourname.txt file hashed with sigcheck. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. It is mathematically possible that you and another student could have the same MD5 hash for your IR text file. But the chance of that is 1 in 340,282,366,920,938,463,463,374,607,431,768,211,456. For that reason, the hash should be unique or there may be an academic integrity review by your professor. Take a screenshot of the MYIRTEXT.TXT file hashed with sigcheck Image 7: Screenshot of the MYIRTEXT.TXT file hashed with sigcheck 10
Screenshot 8 – Creating a Yourname RAM Dump File 8. Use DumpIT to create a RAM dump. The RAM dump will have yourname in it from the computer name. It will also have today’s date and time, which should match the timeframe of this course. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of using DumpIt to create the RAM Dump with Your Name in it Image 8: screenshot of using DumpIt to create the RAM Dump with Your Name in it 11
Screenshot 9 – Using Dir to Display Yourname RAM Dump File 9. The RAM dump will have yourname in it from the computer name. It will also have today’s date and time, which should match the timeframe of this course. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of using the DIR command to display the Yourname RAM DUMP File Image 9: Screenshot of using the DIR command to display my name RAM DUMP File 12
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Screenshot 10 – The MD5 and SHA1 hashes of yourname RAM Dump file. 10. Take a screenshot of the yourname RAM Dump file hashed with sigcheck. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. It is mathematically possible that you and another student could have the same MD5 hash for your IR text file. But the chance of that is 1 in 340,282,366,920,938,463,463,374,607,431,768,211,456. For that reason, the hash should be unique or there may be an academic integrity review by your professor. Take a screenshot of the Yourname RAM Dump file hashed with sigcheck Image 10: Screenshot of my name RAM Dump file hashed with sigcheck 13
Conclusion Conclusion In Lab 9, we investigated the target device's memory using a variety of command-line tools. No important information will be lost if and when the machine is turned off or disconnected from the network if the volatile data is collected and exported to a text file. Using the PATH command, we first determined the path where the OS searches for executable files. Then, in the program files, we set the path to our reliable tool drive. Next, we used the copy command to transfer the trusted files to the D: drive. After everything was finished, we used the echo command to add our incident responder name to the incident responder file. We updated the incident responder text file in that file with the date and time, network connection information, process list information, and computer information. We used the type of command to view the information, which included the kernel version, product version, kernel build, processors, processing speed, and processor type, after it had been entered into the text file. We used the sigcheck command to hash the incident responder text file after we had confirmed the data in the file. After the file was hashed, a RAM dump of the target device was performed using the dumpit command. To further confirm the accuracy of the data, we also used the sigcheck command on the RAM capture. Finally, we extracted data from the RAM grab using the standalone Volatility Framework. In order to obtain a thorough image of the target device and to ensure that as much data as possible is gathered to identify the malicious activity, it is essential to understand the techniques used in memory forensics. 14
15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
APA References Balapure, A. (2018). Memory forensics and analysis using volatility - Infosec Resources. Infosec Resources. Retrieved September 11, 2023, from https://resources.infosecinstitute.com/topic/memory-forensics-and-analysis-using- volatility First steps to volatile memory analysis. Medium. (2019). Retrieved September 11, 2023, from https://medium.com/@zemelusa/first-steps-to-volatile-memory-analysis-dcbd4d2d56a1 Fox, N. (2021). Memory Forensics for Incident Response. Varonis.com. Retrieved September 11, 2023, from https://www.varonis.com/blog/memory-forensics Messina, G. (2019). Computer Forensics: Memory Forensics - Infosec Resources. Infosec Resources. Retrieved September 11, 2023, from https://resources.infosecinstitute.com/topic/computer-forensics-memory-forensics/ Raap, R. (2020). How to Identify Potentially Volatile Data Using Memory Forensics | By Regina Raap. eForensics. Retrieved September 11, 2023, from https://eforensicsmag.com/how-to- identify-potentially-volatile-data-using-memory-forensics-by-regina-raap/ 16

Related Documents

Exercises Chapter 12.docx
Exercises Chapter 1.docx
Untitled document.docx
Exercises Chapter 9.docx
Practicing Linux Commands.pdf
LAB11_Digital Forensics Technology and Practices_WORKSHEET1 Kwadwo Antwi.docx
LAB10_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi.docx
LAB8_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi.docx
LAB1_Digital Forensics Technology and Practices_WORKSHEET Kwadwo Antwi.docx
LAB5_Digital Forensics Technology and Practices_Kwadwo Antwi.docx
LAB2_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi.docx
Problem 11-5.docx