Home‎ > ‎CIS 77‎ > ‎

Lab: Memory Forensics

In this lab you'll use the volatility program to analyze a memory dump.

Introduction

Memory forensics is a new and fast growing field of computer forensics. Analyzing memory images gives the investigator the ability to recover cryptographic keys and can reveal when a machine is infected with a virus. In this lab you'll use a powerful memory dump analyzer to determine the state of a Windows machine at the time a memory dump was made.  

Download the Dump File

The memory dump is in a ZIP file. You can download the file here: 

    
Unzip the memory dump before you start working on it. Beware: The memory dump is 3.2G unzipped. So be sure you have the space. 

Identify and Analyze the Image

You should have downloaded and installed volatility during the class lecture. Just like you did in class, use the "imageinfo" command in volatility to identify the source operating system of the image you downloaded. Volatility will take a while to run (It took about 10 minutes to run on my office machine) afterwards it will provide a list of possible Windows profiles. 

Take a screenshot of the profiles listed by imageinfo. 

Now use volatility commands to find the following information. Take a screenshot of the output of each command
  1. What processes were running at the time of the capture?
  2. What windows are showing on the desktop? (hint: you have to get the profile correct to see)
If you don't know what command to run in volatility you can see a list of commands by running volatility with the --info options or by reading the manual here:


and here:


Turn In
  1. A screenshot of the output of imageinfo. 
  2. A screenshot showing the process list. 
  3. A screenshot showing the the active windows.
Submit your homework on canvas.

Grading

  • 10 points for a screenshot of the output of imageinfo
  • 5 points for a screenshot showing the processes 
  • 5 points for a screenshot showing the active windows
Comments