digital-forensics-ram/report.tex

\documentclass[a4paper,12pt]{article}

\usepackage{geometry}
\usepackage[english]{babel}
\usepackage{microtype}
\usepackage{hyperref}
\usepackage{listings}
\usepackage{graphicx}

\lstdefinestyle{mystyle}{
    basicstyle=\ttfamily\footnotesize,
    breakatwhitespace=false,
    breaklines=true,
    captionpos=b,
    keepspaces=true,
    showspaces=false,
    showstringspaces=false,
    showtabs=false,
    tabsize=2
}

\lstset{style=mystyle}

\setlength{\parindent}{0pt}

\title{RAM Report}
\author{Tobias Eidelpes 01527193}
\date{\today}

\begin{document}
\maketitle

\section{Introduction}

This report documents the findings and the analysis of those findings while
performing extensive forensic analysis on a RAM dump. The RAM dump was obtained
after a computer showed suspicious activity and was subsequently shut down. The
dump is provided via a zip file which is extracted to be able to perform
forensic analysis.

A second RAM dump is analyzed to find information about a PC running in the
server room which has no apparent owner or user. This dump is also provided as a
zip file and is password protected with the password \texttt{infected}.

\section{Findings}

All information is obtained through the use of the open soure \texttt{Volatility
3 Framework} at version \texttt{1.0.1} except for the screenshot for the first
RAM dump, because this command requires the \texttt{Volatility Framework 2.6}.

\subsection{Image 1}

\subsubsection{Basic Information}

This image is running Windows XP with the Service Pack 2. It was created on
2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named
\texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the
\texttt{Administrator} user. This information is provided by the volatility
\texttt{windows.info.Info} and \texttt{windows.envars.Envars} commands.

\subsubsection{Processes and Network Connections}

The process list is obtained with the \texttt{pslist} command. It includes
common Windows processes as well as \texttt{AcroRd32.exe} and
\texttt{VMWareUser.exe}. There are also multiple \texttt{svchost.exe} processes
running.

\subsubsection{Other Information}

Interesting information can also be found with the \texttt{iehistory},
\texttt{screenshot} and \texttt{malfind} commands. \texttt{IEHistory} shows that
the user \texttt{Administrator} accessed a file on the filesystem called
\texttt{navy procurement.pdf}. Furthermore, the \texttt{screenshot} command
attempts to reconstruct the user's view just before the dump was created. The
image shows that the \texttt{navy procurement.pdf} file was opened in Adobe
Acrobat Reader with a message saying that Windows has closed this program to
protect the computer.

\begin{center}
    \begin{figure}
        \includegraphics[width=1\textwidth]{./screenshot.png}
        \caption{\texttt{navy procurement.pdf} open in Adobe Acrobat Reader}
    \end{figure}
\end{center}

\subsection{Image 2}

\section{Analysis}

\subsection{Image 1}

The information gathered with volatility strongly suggests that the computer had
been infected with malware. The malware seems to have been installed after
opening the \texttt{navy procurement.pdf} file and is also most likely running
as an additional \texttt{svchost.exe} process. This process could be responsible
for the connection made to the IP-address \texttt{99.1.23.71}. A WHOIS lookup
provides the company who has the address: \texttt{SUN COUNTRY MEDICAL
EQUIPMENT} based in Texas, US.

\subsection{Image 2}

\section{Appendix}

\lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt}
\lstinputlisting[caption=Image1 Processes List]{processes-image1.txt}
\lstinputlisting[caption=Image1 Connections]{connections-image1.txt}
\lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt}
\lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt}

\end{document}