\documentclass[a4paper,12pt]{article} \usepackage{geometry} \usepackage[english]{babel} \usepackage{microtype} \usepackage{hyperref} \usepackage{listings} \usepackage{graphicx} \lstdefinestyle{mystyle}{ basicstyle=\ttfamily\footnotesize, breakatwhitespace=false, breaklines=true, captionpos=b, keepspaces=true, showspaces=false, showstringspaces=false, showtabs=false, tabsize=2 } \lstset{style=mystyle} \setlength{\parindent}{0pt} \title{RAM Report} \author{Tobias Eidelpes 01527193} \date{\today} \begin{document} \maketitle \section{Introduction} This report documents the findings and the analysis of those findings while performing extensive forensic analysis on a RAM dump. The RAM dump was obtained after a computer showed suspicious activity and was subsequently shut down. The dump is provided via a zip file which is extracted to be able to perform forensic analysis. A second RAM dump is analyzed to find information about a PC running in the server room which has no apparent owner or user. This dump is also provided as a zip file and is password protected with the password \texttt{infected}. \section{Findings} All information is obtained through the use of the open soure \texttt{Volatility 3 Framework} at version \texttt{1.0.1} except for the screenshot for the first RAM dump, because this command requires the \texttt{Volatility Framework 2.6}. \subsection{Image 1} \subsubsection{Basic Information} This image is running Windows XP with the Service Pack 2. It was created on 2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named \texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the \texttt{Administrator} user. This information is provided by the volatility \texttt{windows.info.Info} and \texttt{windows.envars.Envars} commands. \subsubsection{Processes and Network Connections} The process list is obtained with the \texttt{pslist} command. It includes common Windows processes as well as \texttt{AcroRd32.exe} and \texttt{VMWareUser.exe}. There are also multiple \texttt{svchost.exe} processes running. \subsubsection{Other Information} Interesting information can also be found with the \texttt{iehistory}, \texttt{screenshot} and \texttt{malfind} commands. \texttt{IEHistory} shows that the user \texttt{Administrator} accessed a file on the filesystem called \texttt{navy procurement.pdf}. Furthermore, the \texttt{screenshot} command attempts to reconstruct the user's view just before the dump was created. The image shows that the \texttt{navy procurement.pdf} file was opened in Adobe Acrobat Reader with a message saying that Windows has closed this program to protect the computer. \begin{center} \begin{figure} \includegraphics[width=1\textwidth]{./screenshot.png} \caption{\texttt{navy procurement.pdf} open in Adobe Acrobat Reader} \end{figure} \end{center} \subsection{Image 2} \section{Analysis} \subsection{Image 1} The information gathered with volatility strongly suggests that the computer had been infected with malware. The malware seems to have been installed after opening the \texttt{navy procurement.pdf} file and is also most likely running as an additional \texttt{svchost.exe} process. This process could be responsible for the connection made to the IP-address \texttt{99.1.23.71}. A WHOIS lookup provides the company who has the address: \texttt{SUN COUNTRY MEDICAL EQUIPMENT} based in Texas, US. \subsection{Image 2} \section{Appendix} \lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt} \lstinputlisting[caption=Image1 Processes List]{processes-image1.txt} \lstinputlisting[caption=Image1 Connections]{connections-image1.txt} \lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt} \lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt} \end{document}