CNIT 121 Project 2: Capturing a RAM Image (15 Points)

What You Need for This Project

Start Your Machine

Launch your Windows machine. If necessary, log in as Administrator with the password P@ssw0rd

Reducing the Availalable RAM

This step is not strictly necessary, but it will make the later steps faster if you make the RAM image smaller.

Click Start, "Command Prompt". In the Command Prompt window, execute this command:

bcdedit /copy {current} /d "Low-Memory"
This makes a new boot entry labelled "Low-Memory".

The GUID of the new menu entry appears--it's a long series of random numbers in curly braces, as shown below.

Right-click on the GUID and click Mark.

Carefully drag the cursor to highlight the GUID, as shown below. Then press the Enter key to copy it to the clipboard.

In the Command Prompt window, execute this command, pasting in your correct GUID, which will be different from mine:

bcdedit /set {86e99eaf-7802-11e3-a063-000c29c87fa0} truncatememory 0x20000000
You should see a message saying "The operation completed successfully."

In the Command Prompt window, execute this command:

bcdedit
You should see a third "Windows Boot Loader" item with the "truncatememory" parameter set, as shown below:

Restart the computer. A boot menu offers you two choices. Press the down-arrow key on the keyboard to select "Low-Memory", as shown below. Then press the Enter key to boot.

Log in as Administrator with the password P@ssw0rd

Creating Evidence

Do these tasks to create evidence in RAM:

  1. Open Internet Explorer and go to http://www.accessdata.com/support/product-downloads

    With this page open, click "FTK IMAGER" and download "FTK Imager Lite version 3.1.1" as shown below. You will have to fill in a form with your name and contact information, and approve the download. Save the "Imager_Lite_3.1.1.zip" file in your Downloads folder.

  2. In Internet Explorer, visit these websites:

  3. With Google open, search for "fake credit card numbers". Open one of the pages it finds. It should show several credit card numbers, as shown below.

    Copy the numbers from the Web page into a Notepad file. Leave the Notepad file open.

    Copy the numbers from the Web page into a Notepad file, as shown below. Leave the Notepad file open.

  4. Open a second Notepad window and type in your own email address. Don't close Notepad or save the file.

  5. Open a Command Prompt window and execute the commands below. In the second command, replace the string "YOUR-NAME" with your own name, without any spaces.
    net user waldo Apple123 /add

    net user YOUR-NAME SuperSecret! /add

    These commands create two new user accounts with the passwords "Apple123" and "SuperSecret!".

Acquiring a RAM Image with FTK Imager

Click Start, Administrator. Open your Downloads folder.

Right-click the "Imager_Lite_3.1.1.zip" file and click "Extract All...". In the 'Extract Compressed (Zipped) Folders" box, clck Extract.

In the "Imager_Lite_3.1.1" window, double-click FTK_Imager.exe.

In the "Open File - Security Warning" box, click Run.

An "AccessData FTK imager 3.1.1.8" window opens. From the menu bar, click File, "Capture Memory...", as shown below:

In the "Memory Capture" box, click the Browse button. Click Desktop and click OK.

In the "Memory Capture" box, click the "Capture Memory" button.

You should see a box saying "Memory capture finished successfully", as shown below:

Saving a Screen Image

Make sure the "Memory capture finished successfully" message is visible.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

On the host machine, not the virtual machine, click Start.

Type mspaint into the Search box and press the Enter key.

Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.

Save the document with the filename "YOUR NAME Proj 2", replacing "YOUR NAME" with your real name.

Email the image to me as an attachment to an e-mail message. Send it to: cnit.121@gmail.com with a subject line of "Proj 2 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Sources

Boot Parameters to Manipulate Memory
Windows 7: BCDEDIT - How to Use


Last Modified: 6:52 pm 1-7-2014