Lab Exercise 1:Creating a Memory Dump File Using Fdpro

HBGary Memory Forensics Lab Guide

Contents

Lab Exercise 1:Creating a Memory Dump File using FDPro

Lab Exercise 2:Creating a new Physical Memory Snapshot Project

Lab Exercise 3:Webmail Investigation

Lab Exercise 1:Creating a Memory Dump File using FDPro

FastDump Pro™ (FDPro™) is a command-line based memory dumping utility that comes packaged with both the Responder™ Professional and the Responder™ Field products. A copy of FDPro.exe is located in the FastDump folder in the directory where Responder™ is installed on the local hard drive.

To capture live memory, perform the following steps:

  1. Open a command line session:
  2. Windows XP - (Start  Run  Type “command”).
  3. Windows Vista and 7 – Start  All Programs  Accessories Right – clickCommand Prompt and choose Run as Administrator
  1. Browse to the FDPro directory:
  2. Windows XP and Windows 7 32-bit – C:\Program Files\HBGary\Responder 2\FDPro
  3. Windows 7 64-bit – C:\Program Files (x86)\HBGary\Responder 2\FDPro
  4. Create a memory snapshot of the physical memory only, by executing the following command: fdpro.exe c:\memdump.bin
  5. What size is the file created? ______
  6. Create a memory snapshot with the Pagefile.sys file to the local system, by executing the following command: fdpro.exe c:\RAMdump_Pagefile.hpak
  7. What size is the file created? ______
  8. Create a memory snapshot using the Process Probe feature, by executing the following command:
  9. fdpro.exe c:\RAMdump_Process_Probe1.bin –probe all
  10. What size is the file created? ______
  11. Which file is larger? ______
  12. Why is it larger? ______

Lab Exercise 2:Creating a new Physical Memory Snapshot Project

To create a physical memory snapshot project and perform an initial analysis, perform the following steps:

  1. Double-click the Responder™ desktop icon.
  2. Click File Project  New to create a new project. The New Project wizard launches and walks you through the steps of creating a new project.
  3. Select Physical Memory Snapshot. Enter LAB1EX2 as the name for project. Accept the default location to save your project, or click the Browse button to select a location to save it. Click Next.
  4. Click the ellipse button () and browse to select the [DVD or directory]:\Student Exercise 1 CyberEspionagecase.vmem physical memory image file. Click Next.
  5. Enter a case name, your name, number, and the case date and time. The information provided is stored for recordkeeping. Click Next.
  6. Enter information about the machine from where the memory snapshot was taken, its location, date and time. The information provided is stored for recordkeeping. Click Next.
  7. Click Finish to create the project.
  8. In the Report tab, click to expand the Suspicious Modules icon. What’s the name of the suspicious module identified? ______
  9. Click to expand Technical Details  Process: System  Module: flypaper.sys. Why was flypaper.sys identified as suspicious? ______

______

At what offset address is the rule match found? ______

  1. In the Report details panel, click the Export button (). What file formats are available to save the file? ______

Select to save the file as HTML, name it student1, and save it to the C:\ drive.

  1. Double-click the file you just saved to C:\, and scroll down to view the report.
  2. Close the browser window.
  3. Click the Objects tab. Double-click the Case icon (). Change the Case Number to 1025. Change the Case Dateto today’s date. What happened? ______

______

  1. Double-click the Physical Memory Snapshot folder icon. Enter an import path of c:\temp. Change the Import Time to the current time. What happened? ______

______

  1. Click to expand the Operating System folder. Double-click the All Modules folder. What is the Process ID for taskdir.exe? ______Close the All Modules detail panel window.
  2. Double-click the All Open Files folder. Sort by Process, and scroll to the taskdir.exeentries.Close the Files detail panel window.
  3. Double-click the All Open Network Sockets folder. What are the open sockets listed for the taskdir.exe file? ______What are the protocol types? ______Close the Network detail panel window.
  4. Double-click the All Open Registry Keys folder. In the right-hand (details) window, click the Process heading in the Registry details panel to sort the processes by ascending alphabetical order. What is the name of the first process listed? ______Close the Keys detail panel window.
  5. Right-click the Process heading, and choose Sort Descending. What is the name of the first process listed? ______
  6. Double-click the All Open Files folder. In the details window, right-click the Path heading and select Column Chooser. What is the name of the available column? ______
  7. In the Customization window, click the Access column header and drag and drop it onto the header bar.
  • Is there any data in the Access column? ______
  • What is the access level for the Microsoft entry in the File Name column? ______
  1. Close the Customization window, and close the Files details panel.
  2. Double-click the Documents and Messages folder, and sort by Type. What two types are listed in the Type column? ______
  3. Double-click the Drivers folder. Sort the columns by Names. Which file is listed with the first? ______Close the Drivers detail panel window.
  4. Double-click the Keys and Passwords folder. In the details panel, click the Search icon () and enter NULL. What are the last four digits in the Offset address for the values returned? ______
  5. Click the Lock icon () to lock the panel. Double-click the Keys and Passwords folder again. What happens? ______Close the pop-up details panel, and click the Clear Search icon (). Unlock the detail panel.

Double-click the Processesfolder, and sort by Process Name.Locate the taskdire.exe entries. What are the Parent PIDs? ______What is the Working Directory? ______Close the Processes detail panel window.

  1. Expand the System Service Descriptor Tables folder, then double-click the System Call Table – NTOSKRNL/HOOKED icon. Sort the Hooked column by descending. Are there any hooked modules indentified? ______To what module are they identified? ______What is the path identified? ______
  2. Click to expand Processesipod.raw.exe Modules ipod.raw.exe. Double-click the Strings folder.Use the information found in the details panel to answer the following questions:
  3. Are there any hard-coded IP addresses? ______
  4. Are there any domain names? ______
  5. Are there any e-mail addresses used? (hint: click the Search icon () and enter ‘@’). ______
  6. Locate the Taskdir.exe module (PID 1712), and double-click the Strings folder toanswer the following questions:

Identify Communication factors

  • Are there any hard-coded IP addresses? ______
  • Are there any domain names? ______
  1. Click the Search icon () and enter internet. Right-click an entry, and choose Google™ Text Search.What happens? ______
  2. Locate and click the MSDN.microsoft.com url. What does theInternetGetConnectedState function do? ______

______

  1. Click the Clear Search ( ) button in the Strings detail window.
  2. Click File  Project  Close to close the project.

Lab Exercise 3:Webmail Investigation

  1. Click FileProject New to create a new Physical Memory Snapshot project.
  2. Enter LAB1EX3 as the name for project. Accept the default location to save your project, or click the Browse button to select a location to save it. Click Next.
  3. Click the ellipse button () and browse to select the [drive]:\SBurnsIDYLLWin764.hpakphysical memory image file. Click Next.
  4. Enter a case name, your name, number, and the case date and time. The information provided is stored for recordkeeping. Click Next.
  5. Enter information about the machine from where the memory snapshot was taken, its location, date and time. The information provided is stored for recordkeeping. Click Next.
  6. Click Finish to create the project.
  7. In the Objectstab,Click the + next to physmem.861354451.hpak icon.Double-click Internet History. Then Use Responder to answer the following questions:
  1. True or False – All URL’s identified in the Internet History object in Responder are as a result of browsing by a user.
  2. ______
  3. True or False – As Responder uses a special algorithm to parse INDEX.DAT files, times and dates associated with entries in the Internet History object cannot be easily validated.
  4. ______

8. In the Objectstab,Click the + next to physmem.861354451.hpak icon. Click the + next to Processes. Then Use Responder to answer the following questions

Are there any processes listed that indicate we browsers or internet chat programs in use? If so, list the name of the processes and the program they are associated with.

  1. iexplore.exe – Internet Explorer or skype.exe – Skype or msnmsgr.exe – MSN Messenger or msn.msgr.exe – Windows Live Messenger
  2. 23
  3. A
  4. E
  5. iexplore internet explorer msnmsgrmicrosoft messenger

9.In the Objects tab, go back to theInternet History object. Then Use Responder to answer the following question.

It is apparent that Facebook has been visited. How many entries are there related to Facebook that are associated with a web browser?

  1. 2
  2. 7
  3. 19
  4. 25
  5. 28

10.In the Objects tab, stay on the Internet History object. Then Use Responder to answer the following question.

Is there any indication of webmail having recently been accessed from this computer? Perform a search in the Internet history details panel for the word mail. Between which dates and times are these accesses for? (use one space to separate times and dates).

a. 3/16/2011 11:36:58 3/10/2011 12:13:34

b.3/10/2011 12:13:34 & 3/16/2011 11:36:58

c.12/1/11 12/2/11

d.3/10/2011 12:14

11.In the Objects tab, stay on the Internet History object. Then Use Responder to answer the following:

As it appears Gmail has been used, search for the term [“ci”], how many entries were located as a result of this search?

a.0

b.1

c.3

d.7

e.14

12.Navigate to the Binary tab. Then Use Responder to answer the following:

Using the username previously identified for Monica Jones, salesytype2010, conduct a search for this case specific term. Remember to search for Unicode and consider increasing the maximum hits past 1000. How many matches are there?

a.0

b.1024

c.1061

d.1300

e.1601

13.Navigate to the Binary tab. Then Use Responder to answer the following:

Reviewing the username search just conducted, which chat applications, if any, have search matches associated with them?

a.msnmngr.exe

b.msnmsgr.exe

c.skype.exe

d.yahoo.exe

Top View