digital-forensics-ram/report.tex

\documentclass[a4paper,12pt]{article}

\usepackage{geometry}
\usepackage[english]{babel}
\usepackage{microtype}
\usepackage{hyperref}
\usepackage{listings}
\usepackage{graphicx}

\lstdefinestyle{mystyle}{
    basicstyle=\ttfamily\footnotesize,
    breakatwhitespace=false,
    breaklines=true,
    captionpos=b,
    keepspaces=true,
    showspaces=false,
    showstringspaces=false,
    showtabs=false,
    tabsize=2
}

\lstset{style=mystyle}

\setlength{\parindent}{0pt}

\title{RAM Report}
\author{Tobias Eidelpes 01527193}
\date{\today}

\begin{document}
\maketitle

\section{Introduction}

This report documents the findings and the analysis of those findings while
performing extensive forensic analysis on a RAM dump. The RAM dump was obtained
after a computer showed suspicious activity and was subsequently shut down. The
dump is provided via a zip file which is extracted to be able to perform
forensic analysis.

A second RAM dump is analyzed to find information about a PC running in the
server room which has no apparent owner or user. This dump is also provided as a
zip file and is password protected with the password \texttt{infected}.

\section{Findings}

All information is obtained through the use of the open soure
\texttt{Volatility 3 Framework}\footnote{sha1sum:
\texttt{b386a7475304d5e449fa0265ffc36df9c6f7835a}} at version \texttt{1.0.1}
except for the screenshot for the first RAM dump, because this command requires
the \texttt{Volatility Framework 2.6}.\footnote{sha1sum:
\texttt{ac3d2333b4d96f9a0c000b7b644f0480b3bc7ff6}}

All work is done on Arch Linux with kernel version 5.15.2.

\subsection{Image 1}

\subsubsection{Basic Information}

This image is running Windows XP with the Service Pack 2. It was created on
2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named
\texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the
\texttt{Administrator} user. This information is provided by the volatility
\texttt{info} and \texttt{envars} commands.

\subsubsection{Processes and Network Connections}

The process list is obtained with the \texttt{pslist} command. It includes
common Windows processes as well as \texttt{AcroRd32.exe} and
\texttt{VMWareUser.exe}. There are also multiple \texttt{svchost.exe} processes
running.

\subsubsection{Other Information}

Interesting information can also be found with the \texttt{iehistory},
\texttt{screenshot} and \texttt{malfind} commands. \texttt{IEHistory} shows that
the user \texttt{Administrator} accessed a file on the filesystem called
\texttt{navy procurement.pdf}. Furthermore, the \texttt{screenshot} command
attempts to reconstruct the user's view just before the dump was created. The
image shows that the \texttt{navy procurement.pdf} file was opened in Adobe
Acrobat Reader with a message saying that Windows has closed this program to
protect the computer.

\begin{center}
    \begin{figure}
        \includegraphics[width=1\textwidth]{./screenshot.png}
        \caption{\texttt{navy procurement.pdf} open in Adobe Acrobat Reader}
    \end{figure}
\end{center}

\subsection{Image 2}

\subsubsection{Basic Information}

Similarly to image one, we can gather basic information about the RAM dump with
the help of volatility 2. The RAM dump is coming from either Windows Vista or
Windows Server 2008 with Service Pack 1 or Service Pack 2 installed. The RAM
dump was created on 2011-11-30 15:23:46 UTC+0100. The computer's name is
\texttt{WIN-F0U9JFUWQ3S} and the currently logged in user is \texttt{Vista}.
Additionally to Vista, there are five other users: Administrator, Guest, Bob,
Alice and Eve. This information is extracted via volatility's \texttt{hashdump}
command, which also provides the hashed password of each user. These hashes have
been cracked using the online website
crackstation\footnote{\url{https://crackstation.net/}}.


\subsubsection{Other Information}

Volatility's plugin \texttt{cmdline} provides information about the commands
that have been executed over the command line by various processes.

\section{Analysis}

\subsection{Image 1}

The information gathered with volatility strongly suggests that the computer has
been infected with malware. The malware seems to have been installed after
opening the \texttt{navy procurement.pdf} file and is also most likely running
as an additional \texttt{svchost.exe} process. This process could be responsible
for the connection made to the IP-address \texttt{99.1.23.71}. A WHOIS lookup
provides the company who has the address: \texttt{SUN COUNTRY MEDICAL
EQUIPMENT} based in Texas, US.

\subsection{Image 2}

The password hashes of the six users have been cracked to reveal the plaintext.
The resulting passwords can be seen in Listing~\ref{lst:passwords}. The
Administrator password and the password for the user Guest is empty, which poses
a substantial security risk.

Looking closely at the output of the \texttt{cmdline} plugin reveals a call to
\texttt{telnet.exe towel.blinkenlights.nl} (second to last line in the output).
While this interface is not available anymore over the IPv4 address, it is over
its IPv6 address \texttt{2001:7b8:666:ffff::1:42}, which can be found using the
\texttt{nslookup} command available for Linux distributions. The command should
show an ASCII version of Star Wars playing in the terminal.

\section{Appendix}

\lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt}
\lstinputlisting[caption=Image1 Processes List]{processes-image1.txt}
\lstinputlisting[caption=Image1 Connections]{connections-image1.txt}
\lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt}
\lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt}

\lstinputlisting[caption=Image2 Info]{imageinfo-image2.txt}
\lstinputlisting[caption=Image2 Hashdump]{hashdump-image2.txt}
\lstinputlisting[caption=Image2 Command Line]{cmdline-image2.txt}
\lstinputlisting[caption=Image2 Cracked
Passwords,label={lst:passwords}]{ntlm-cracked.txt}
\end{document}