Bài Tập 18.2 - Phân Tích Bộ Nhớ Windows 7 / XP

Note : Hãy capture bộ nhớ hệ thống Windows 7 của các bạn và lưu lại.

1. Start BackTrack VM Instance
2. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
3. Bring up the GNOME
   • Instructions
     1. Type startx

Section 2. Bring up a console terminal

1. Bring up a console terminal

Section 3. Using Volatility

1. Navigate to Volatility
   • Instructions
     1. cd /pentest/forensics/volatility
     2. ls -l vol.py
   • 
2. Obtain the image profile
   • Instructions:
   1. ./vol.py imageinfo -f /var/forensics/images/WV01_clean.dd
   • Notes(FYI):
     • The Volatility Framework tries to guess and tell you what image profile to use.
     • We know that our Server is Windows XP running SP2.
     • Volatility suggest that we either use the profile WinXPSP3x86 or WinXPSP2x86.
     • Also, we are running SP2 we will use the WinXPSP3x86 which seems to have more complete profile than WinXPSP2x86.
   • 
3. View Running Processes
   • Instructions
   1. ./vol.py --profile=WinXPSP3x86 pslist -f /var/forensics/images/WV01_clean.dd
   • Notes(FYI):
     • This displays all the running process during the time we captured the image in Helix Lesson 4.
   • 
4. Searching for Specific Processes
   • Instructions:
     1. ./vol.py --profile=WinXPSP3x86 pslist -f /var/forensics/images/WV01_clean.dd | egrep '(notepad.exe|sol.exe|cmd.exe|nc.exe|dd.exe|iexplore.exe|helix.exe)'
   • Notes(FYI):
     • egrep - Is like grep, but it lets you search for multiple strings.
     • notepad.exe - Is the Notepad application.
     • sol.exe - Is Solataire.
     • cmd.exe - Is the Command Prompt that we started.
     • nc.exe - Is NetCat which was started by Helix.
     • dd.exe - Was started by Helix.  It made the memory image.
     • iexplore.exe - Internet Explorer.
     • helix.exe - Helix
   • 
5. View Network Connections and Tie to Running Processes
   • Instructions:
   1. ./vol.py --profile=WinXPSP3x86 connections -f /var/forensics/images/WV01_clean.dd
      • This command lets you view all open Network Connections.
   2. ./vol.py --profile=WinXPSP3x86 pslist -f /var/forensics/images/WV01_clean.dd | egrep '(2288|2612|472)'
      • This command lets you search the process list for all the network connections.
      • Note: These numbers will be different in your case!!!
        • ":80" shows the web processes.
        • ":8888" shows the NetCat process.
   • 
6. View Network Connections and Tie to Running Processes
   • Instructions
   1. ./vol.py --profile=WinXPSP3x86 connscan -f /var/forensics/images/WV01_clean.dd
   2. This command looks at all TCP connection both open and terminated.
   • 
7. View DLL used by a Running Processes
   • Instructions:
   1. ./vol.py --profile=WinXPSP3x86 dlllist -p 472 -f /var/forensics/images/WV01_clean.dd
   • Note(FYI):
     • PID 472 is process ID associated with NetCat.  This will be different in your case.
     • Let's say I thought NetCat was part of a Trojan Horse, then I could view which DLLs or libraries are associated with the running NetCat process.
   •