\documentclass[a4paper,12pt]{article} \usepackage{geometry} \usepackage[english]{babel} \usepackage{microtype} \usepackage{hyperref} \usepackage{listings} \usepackage{graphicx} \lstdefinestyle{mystyle}{ basicstyle=\ttfamily\footnotesize, breakatwhitespace=false, breaklines=true, captionpos=b, keepspaces=true, showspaces=false, showstringspaces=false, showtabs=false, tabsize=2 } \lstset{style=mystyle} \setlength{\parindent}{0pt} \title{RAM Report} \author{Tobias Eidelpes 01527193} \date{\today} \begin{document} \maketitle \section{Introduction} This report documents the findings and the analysis of those findings while performing extensive forensic analysis on a RAM dump. The RAM dump was obtained after a computer showed suspicious activity and was subsequently shut down. The dump is provided via a zip file which is extracted to be able to perform forensic analysis. A second RAM dump is analyzed to find information about a PC running in the server room which has no apparent owner or user. This dump is also provided as a zip file and is password protected with the password \texttt{infected}. \section{Findings} All information is obtained through the use of the open soure \texttt{Volatility 3 Framework}\footnote{sha1sum: \texttt{b386a7475304d5e449fa0265ffc36df9c6f7835a}} at version \texttt{1.0.1} except for the screenshot for the first RAM dump, because this command requires the \texttt{Volatility Framework 2.6}.\footnote{sha1sum: \texttt{ac3d2333b4d96f9a0c000b7b644f0480b3bc7ff6}} All work is done on Arch Linux with kernel version 5.15.2. \subsection{Image 1} \subsubsection{Basic Information} This image is running Windows XP with the Service Pack 2. It was created on 2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named \texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the \texttt{Administrator} user. This information is provided by the volatility \texttt{info} and \texttt{envars} commands. \subsubsection{Processes and Network Connections} The process list is obtained with the \texttt{pslist} command. It includes common Windows processes as well as \texttt{AcroRd32.exe} and \texttt{VMWareUser.exe}. There are also multiple \texttt{svchost.exe} processes running. \subsubsection{Other Information} Interesting information can also be found with the \texttt{iehistory}, \texttt{screenshot} and \texttt{malfind} commands. \texttt{IEHistory} shows that the user \texttt{Administrator} accessed a file on the filesystem called \texttt{navy procurement.pdf}. Furthermore, the \texttt{screenshot} command attempts to reconstruct the user's view just before the dump was created. The image shows that the \texttt{navy procurement.pdf} file was opened in Adobe Acrobat Reader with a message saying that Windows has closed this program to protect the computer. \begin{center} \begin{figure} \includegraphics[width=1\textwidth]{./screenshot.png} \caption{\texttt{navy procurement.pdf} open in Adobe Acrobat Reader} \end{figure} \end{center} \subsection{Image 2} \subsubsection{Basic Information} Similarly to image one, we can gather basic information about the RAM dump with the help of volatility 2. The RAM dump is coming from either Windows Vista or Windows Server 2008 with Service Pack 1 or Service Pack 2 installed. The RAM dump was created on 2011-11-30 15:23:46 UTC+0100. The computer's name is \texttt{WIN-F0U9JFUWQ3S} and the currently logged in user is \texttt{Vista}. Additionally to Vista, there are five other users: Administrator, Guest, Bob, Alice and Eve. This information is extracted via volatility's \texttt{hashdump} command, which also provides the hashed password of each user. These hashes have been cracked using the online website crackstation\footnote{\url{https://crackstation.net/}}. \subsubsection{Other Information} Volatility's plugin \texttt{cmdline} provides information about the commands that have been executed over the command line by various processes. \section{Analysis} \subsection{Image 1} The information gathered with volatility strongly suggests that the computer has been infected with malware. The malware seems to have been installed after opening the \texttt{navy procurement.pdf} file and is also most likely running as an additional \texttt{svchost.exe} process. This process could be responsible for the connection made to the IP-address \texttt{99.1.23.71}. A WHOIS lookup provides the company who has the address: \texttt{SUN COUNTRY MEDICAL EQUIPMENT} based in Texas, US. \subsection{Image 2} The password hashes of the six users have been cracked to reveal the plaintext. The resulting passwords can be seen in Listing~\ref{lst:passwords}. The Administrator password and the password for the user Guest is empty, which poses a substantial security risk. Looking closely at the output of the \texttt{cmdline} plugin reveals a call to \texttt{telnet.exe towel.blinkenlights.nl} (second to last line in the output). While this interface is not available anymore over the IPv4 address, it is over its IPv6 address \texttt{2001:7b8:666:ffff::1:42}, which can be found using the \texttt{nslookup} command available for Linux distributions. The command should show an ASCII version of Star Wars playing in the terminal. \section{Appendix} \lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt} \lstinputlisting[caption=Image1 Processes List]{processes-image1.txt} \lstinputlisting[caption=Image1 Connections]{connections-image1.txt} \lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt} \lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt} \lstinputlisting[caption=Image2 Info]{imageinfo-image2.txt} \lstinputlisting[caption=Image2 Hashdump]{hashdump-image2.txt} \lstinputlisting[caption=Image2 Command Line]{cmdline-image2.txt} \lstinputlisting[caption=Image2 Cracked Passwords,label={lst:passwords}]{ntlm-cracked.txt} \end{document}