Cyber forensics

 

Capturing_Dynamic_Evidence

last edited by Patrick 2 weeks, 3 days ago

RAM and Swap Capture

For your work on the last two assignments, Ms. Wilde has promoted you to the rank Chief Digital Evidence Examiner at Palindrome. Shortly after, a phone call from the county Sheriff’s office was transferred to you. The deputy explains that earlier, a suspected pipe bomb exploded in an aviation facility and a person was detained while attempting to flee the scene. Deputies are currently at the suspect’s house and they believe there is evidence on the suspect’s computer, which is currently powered on, that is related to the investigation; the Deputy is afraid of powering off the computer first and potentially losing some evidence. 

You meet the deputy at the door along with their in house computer examiner who asks you to copy the volatile evidence so they can shut down the computer and make a forensic duplicate of the drive for analysis later. The computer is a Dell running XP and with 512MB RAM installed (I know what you’re thinking, but don’t laugh too much: It was an easy way to provide to you a full, working VM that wasn’t absurdly large to download!). Using your trusty USB thumb drive with FTK Imager installed, you make your copy to analyze and as you’re leaving, over hear the suspect yell at the deputy “I’m not lying! I’ve never heard of the Unabomber!” You’ve been tasked with finding any evidence which may cast doubt on the suspect’s statement.

Deliverables

A non-technical management summary that explains what you were asked to do, what you did, and your findings.

A technical summary that explains the tools and procedures you used and what you recovered.

Be specific about the procedures – Numbered step 1, step 2, step 3, etc.)

Your results section should have the evidence you recovered, along with descriptions of the evidence.  

  1. A conclusion section that explains how (if?) you were able to prove the suspect was lying.
  2. Software

You can choose either option

  1. Download FTK Imager 3.2.0:
  2. Follow These Directions

Original FTK Imager Lite 3.1.1

  • Original version of Lite which extracts directly to a USB

Important!

USB 3.0 devices will not work inside this XP VM. If you’re having trouble getting the VM to recognize you have a flash drive attached, make sure you’re not using a USB 3.0 drive.

Setup

Have FTK Imager installed and ready to go on a USB (Not 3.0) flash drive. You won’t install Imager in the virtual machine; doing so would change evidence and you wouldn’t have the time before valuable volatile information was lost.

  • Note that I said FTK Imager and NOT FTK; we will not need or be using the full version of FTK

Download the compressed VM and unzip it.  Inside the extracted Windows XP RAM Capture directory is a  is a file which ends in .vmdk : If you add/open that in Workstation or just double click, this will start the VM. Don’t do that until you’re ready! The VM is in a suspended and will begin running from where it was paused meaning the contents of RAM will begin to change from that point.

  • Download and install strings and Photorec if you’re doing the analysis in Windows otherwise you can use ‘strings’ in Linux and PhotoRec (sudo aptitude install photorec)

Procedure

  • Remember that as the VM is running, the content of RAM and the swap file are changing. I suggest doing this procedure more than once to get the procedure down, delete the extracted VM folder, extract a new copy, and start the process over for the assignment.

Use FTK Imager to dump the RAM and the swap.

  • Make sure the location being saved to is your flash drive and not the the virtual machine.

Run strings on the RAM dump and swap file.  

Use a text editor to search for any evidence that may indicate the suspect is lying.

  • Hint: Use Google before you run the search to do a little preliminary investigation on what keywords may be useful

We’ll probably be on some watch list after this so don’t forget to occasionally say hello to our new government surveillant

  • Just type something out now and again. Don’t worry, they’ll see!

Recover any lengthy text which would be useful in proving the suspect is lying.

Include a few paragraphs of the text document in your report in an appendix.

Note whether you were able to recover the entire content of the document(s) by finding the original document and comparing.

Taking a hash will not work in this situation; you’ll have to visually compare.

Note the origin of the recovered text – RAM or Swap

  1. Recover any graphics files in RAM and swap.  

Include these files, along with hashes of each file, in your report.  

  1. Note the source – RAM or Swap – of where the recovered files came from
  2. Include a few examples of web searches the suspect performed.
  3. Note which search may have lead to the recovered text

Note the source as well – RAM or Swap

Use ‘www.tineye.com’ to do a reverse image search on any graphics files you found.

Did you get any hits? If not, what is your best guess as to why there were no hits.

  1. Hint: How does tineye.com work and how does a carving tool carve files from an image?

Cyber forensics

We offer the best custom writing paper services. We have answered this question before and we can also do it for you.

GET STARTED TODAY AND GET A 20% DISCOUNT coupon code DISC20

We offer the bestcustom writing paper services. We have done this question before, we can also do it for you.

Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.