Project 4: Analyzing a RAM Image with Bulk Extractor (15 pts + 25 pts extra)

What You Need for This Project

Start Your Windows Machine

Launch your Windows machine. If necessary, log in as Administrator with the password P@ssw0rd If you are given a choice, start it with the full RAM, not the reduced amount.

Find the memdump.mem file on your Windows server's desktop. Right-click it and click Properties. Make a note of its exact size in bytes, as shown in the image below.

Installing Filezilla Server

Serving files from the Windows machine over FTP is far more reliable than VMware Tools, so we'll use that technique.

On your Windows server, in a Web browser, go to this URL, as shown below.

Click the green "Download Filezilla Server" button. https://filezilla-project.org/download.php?type=server

Run the file. Install the software with the default options.

When the software launches, a box asks you for a password, as shown below. Enter any password, such as P@ssw0rd and click the Connect button.

Adding a User and Shared Folder

In Filezilla Server, click Edit, Users.

In Users, on the left side, click "Shared folders", as shown below.

In Users, on the right side, in the Users section, click the Addbutton.

In the "Add user account" box, enter a name of YOURNAME, as shown below.

Click the OK button.

In Users, in the "Shared folders" pane, click the Addbutton.

In the "Browse for folder" box, click Desktop, as shown below.

Click the OK button.

The Users box should look like the image below.

In the lower center, click the "Set as home dir" button.

On the lower left, click the OK button.

Turning Off Windows Firewall

Click Start and type FIREWALL

In the results, click "Windows Firewall", as shown below.

In the Windows Firewall box, on the left, click "Turn Windows Firewall on or off".

Click both the "Turn off Windows Firewall (not recommended)" buttons, as shown below.

Then click OK.

Finding your Windows Machine's IP Address

On your Windows machine, in a Command Prompt, execute the IPCONFIG command. Find your IP address, as shown below.

Start Your Kali Linux Machine

You may find it helpful to add RAM to your Kali Linux virtual machine to make it faster. I increased mine to 2 GB.

Launch your Kali Linux machine. If necessary, log in as root with the password toor

Getting the Memory Dump via FTP

On your Kali machine, at the top left, click Applications, Favorites, "Firefox ESR".

In Firefox, enter this address, replacing the IP address with the IP address of your Windows machine: 

ftp://192.168.225.132
A box pops up asking for your User Name and Password. Enter a User Name of YOURNAME and leave the password blank, as shown below.

Click OK. Click OK again. A list of files appears, as shown below.

Click memdump.mem. Click the "Save File" button.

Running Bulk Extractor

In your Kali Linux machine, open a Terminal window and execute these commands: 
cd
cd Desktop
ls -l mem*
Note that the last command is "LS -L MEM*" in lowercase.

You should see the memdump.mem file as shown below.

Notice that the size exactly matches the size of the original file on the Windows machine.

In your Kali Linux machine, in the Terminal window, execute this command:

bulk_extractor -o bulk -e wordlist memdump.mem
If you see a message saying "xml is inconsistent at line 142," that means the output folder already exists.

To fix it, replace "-o bulk" with "-o bulk2".

This tells Bulk Extractor to gather data from the memdump file, put the results in a folder named "bulk", and compile a wordlist of all readable strings.

Bulk Extractor will take several minutes to run and output progress messages, as shown below:

Viewing the Results

In the Terminal window, execute these commands: 
cd bulk
ls -l
You see the files Bulk Extractor created, finding IP addresses, domains, emails, and many other things, as shown below:

Domain Names

In the Terminal window, execute this command:
nano domain_histogram.txt
You see the domains visited on this computer, and the number of times each was visited, as shown below:

Press Ctrl+W, enter the search term ccsf, and press Enter.

ccsf.edu is found, as shown below:

Press Ctrl+X to close nano.

Credit Card Numbers

In the Terminal window, execute this command:
nano ccn_histogram.txt
You see the credit card numbers found, as shown below:

Word List

In the Terminal window, execute this command:
nano wordlist.txt
You see the words found, and the number of times each word was found. This list is useful as a dictionary when cracking encrypted files or folders.

4: Recording Your Success (15 pts.)

In the Terminal window, execute this command:
cut -f 2 domain_histogram.txt | grep ^samsclass.info$ | md5sum
The result is a long MD5 hash starting with cb4, as shown below.

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
MD5 hash (enter the entire hash value):

4.1: Challenge 1: Another Windows Server 2016 Memory Dump (10 pts extra)

Download, unzip, and analyze this file:

memdump2016.mem.zip

The file is 151,799,629 bytes in size, and its MD5 hash is aa1095f89a2992adeb6b5d2bb519e1ee.

That memory dump contains an email address ending in "@wazuh.com". Find it and use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Email address:

4.2: Challenge 2: Windows Server 2008 Memory Dump (15 pts extra)

Download, unzip, and analyze this file:

memdump.7z

The file is 130,398,701 bytes in size, and its MD5 hash is 364fed484bcdd1a1f81a3538a4b1cd9a.

To unzip a .7z file in Kali, use "7z x filename"

That memory dump contains a credit card number beginning with 3728. Find it and use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Credit card number:

Integrated with Canvas 8-20-18
FTP added and grep command improved 8-28-18
Note about entire hash added 9-10-18