Scribd
Upload
3 views

projectt

Uploaded by

lenagi4551
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

projectt

Uploaded by

lenagi4551
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

1

Table of Contents
Create a clean memory dump using WinPmem. (10%) ................................................ 2

Comparative analysis of the processes in both dumps ............................................... 3

Series of questions to answer covering all areas of analysis (75%) ............................... 5

1.Windows objects that you can find in both memory dumps ................................... 5

Windows objects in both Infected and clean dump: ............................................. 6

2. Enumerate how many connections .................................................................... 8

Clean Dump Connections: ................................................................................ 8

Infected Dump Connections: ............................................................................. 9

3. Describe 5 modules that are currently loaded in both dumps. ........................... 10

Windows modules in both Infected and clean dump: ......................................... 10

4. Recover the command history ......................................................................... 12

Command history both Infected and clean dump: ............................................. 13

5. Recover the password hashes and the LSA secret keys ...................................... 13

In clean dump: ................................................................................................ 14

In infected dump: ............................................................................................ 15

LSA in Infected Dump: ..................................................................................... 16

LSA IN clean: .................................................................................................. 17

Bibliography: ......................................................................................................... 19

References: ........................................................................................................... 19
6

Windows objects in both Infected and clean dump:


As you can see in the screenshot below that I used ‘objtypescan’ to list all the objects
present in the infected Os’ memory dump and clean memory dump using the following
command: (figure no. 5).

python2 vol.py -f <path to image file (infected & clean)> objtypescan

• python2: Specifies using Python 2, ensuring compatibility with Volatility 2.x.


• vol.py: The main script for running Volatility analyses on memory dumps.
• -f: A flag to specify the memory image file to analyze.
• <path to image file (infected & clean)>: The actual path to your memory dump
file (e.g., -f /path/to/infected_dump.raw).
• objtypescan: A Volatility plugin that scans for and lists objects by type in the
memory dump.

Figure 5

I have analysed the windows objects in both infected and clean memory dump (figure
no. 5).

I have added the description of each objects (32) and counted the objects present in
both memory dump.
8

From the provided memory dump, check the live sockets. Enumerate
how many connections there are and where these connections are
pointing. Distinguish between localhost connections, local network
ones and public network connections

Here you can see in (Figure no. 6 & 7). There are number of connections in both dumps.
I have used command:

python2 vol.py -f <path to image file (infected & clean)> connscan

• python2: Specifies using Python 2, ensuring compatibility with Volatility 2.x.


• vol.py: The main script for running Volatility analyses on memory dumps.
• -f: A flag to specify the memory image file to analyze.
• <path to image file (infected & clean)>: The actual path to your memory dump
file (e.g., -f /path/to/infected_dump.raw).
• connscan: A Volatility plugin that scans for network connections in the memory
dump

Clean Dump Connections:

Figure no. 6

Localhost Connections: None (all connections are external)


Local Network Connections: None (all connections are to public IPs)
Public Network Connections:
• 10.0.2.15:1035 to 20.109.209.108:443
• 10.0.2.15:1030 to 110.93.229.226:80
9

Infected Dump Connections:

Figure no. 7

Localhost Connections:
• 0.0.0.0:0 to 1.0.0.0:0 (indicative of various system processes)

Local Network Connections:


• 172.16.150.20:1291 to 58.64.132.141:80
• 172.16.150.20:1292 to 172.16.150.10:445
• 172.16.150.20:1281 to 172.16.150.10:389
• 172.16.150.20:2862 to 172.16.150.10:135
• 172.16.150.20:1280 to 172.16.150.10:389

Public Network Connections: None (all other connections are to private IPs)

Analysis:
Clean Dump: All connections are to public IP addresses (20.109.209.108,
110.93.229.226) from a local IP 10.0.2.15, suggesting external network
communications. (Figure no. 6)

Infected Dump: Includes a mix of local network connections (172.16.150.20) to various


ports on 172.16.150.10, and external connections to public IP 58.64.132.141. (Figure
no. 7)
12

4. atapi.sys: IDE/ATAPI Port Driver - enables communication with IDE/ATAPI


devices such as hard drives and optical drives.

5. Ntfs.sys: NT File System Driver - handles file system operations and manages
data on NTFS-formatted volumes.

Recover the command history and explain each command (including


input and output) that you can find inside it.

I have used the tag ‘cmdscan that list all the loaded modules currently in the volatile
memory as shown in the screenshot below (figure no. 10)

Figure no. 10

I have used the below command to see the command history in both memory dumps:

python2 vol.py -f <path to image file (infected & clean)> cmdscan

python2: Specifies using Python 2, ensuring compatibility with Volatility 2.x.

vol.py: The main script for running Volatility analyses on memory dumps.

-f: A flag to specify the memory image file to analyze.

<path to image file (infected & clean)>: The actual path to your memory dump file
(e.g., -f /path/to/infected_dump.raw).

cmdscan: A Volatility plugin that scans for command history within the memory dump.
13

Command history both Infected and clean dump:

Figure no. 11

So you can see in figure this. I have highlighted the command “winpmem” Which I had
used for creating clean memory dump. (figure no. 11).

Highlighted command indicated that a suspicious process “mdd.exe” found which we


have discovered already in process list (pslist).

Provide a brief description of the RSA2 algorithm. Recover the


password hashes and the LSA secret keys of both memory dumps.
Report on any dilerences? How would you recover the original
passwords?

I have used the tag ‘hashdump that list all the loaded modules currently in the volatile
memory as shown in the screenshot below (figure no. 12)

Figure no. 12

You might also like