Project 4: Analyzing a RAM Image with Bulk Extractor (40 Points)

What You Need for This Project

Start Your Windows Machine

Launch your Windows machine. If necessary, log in as Administrator with the password P@ssw0rd If you are given a choice, start it with the full RAM, not the reduced amount.

Find the memdump.mem file on your Windows server's desktop. Right-click it and click Properties. Make a note of its exact size in bytes, as shown in the image below.

Drag it out of the virtual machine and drop it on the host machine's desktop.

When the copy finishes, check the size of the file on your host system. It should match, as shown below. (This image is from a Mac host.)

Close the Windows virtual machine.

Start Your Kali Linux Machine

You may find it helpful to add RAM to your Kali Linux virtual machine to make it faster. I increased mine to 2 GB.

Launch your Kali Linux machine. If necessary, log in as root with the password toor

Drag the memdump.mem file from your Windows 7 host machine's desktop and drop it on your Kali Linux desktop.

Note: the VMware Tools copy process is buggy and sometimes fails to copy the entire file.

You may see an error message and have to click "Retry".

When the copy finishes, on your Kali desktop, right-click the memdump.mem file and click Properties, as shown below.

The size should match the size of the original file, as shown below.

Running Bulk Extractor

In your Kali Linux machine, open a Terminal window and execute these commands: 
cd
cd Desktop
ls -l
Note that the last command is "LS -L" in lowercase.

You should see the memdump.mem file as shown below.

In your Kali Linux machine, in the Terminal window, execute this command:

bulk_extractor -o bulk -e wordlist memdump.mem
If you see a message saying "xml is inconsistent at line 142," that means the output folder already exists.

To fix it, replace "-o bulk" with "-o bulk2".

This tells Bulk Extractor to gather data from the memdump file, put the results in a folder named "bulk", and compile a wordlist of all readable strings.

Bulk Extractor will take several minutes to run and output progress messages, as shown below:

Viewing the Results

In the Terminal window, execute these commands:
cd bulk

ls -l

You see the files Bulk Extractor created, finding IP addresses, domains, emails, and many other things, as shown below:

Domain Names

In the Terminal window, execute this command:
nano domain_histogram.txt
You see the domains visited on this computer, and the number of times each was visited, as shown below:

Press Ctrl+W, enter the search term ccsf, and press Enter.

ccsf.edu is found, as shown below:

Press Ctrl+X to close nano.

Credit Card Numbers

In the Terminal window, execute this command:
nano ccn_histogram.txt
You see the credit card numbers found, as shown below:

Word List

In the Terminal window, execute this command:
nano wordlist.txt
You see the words found, and the number of times each word was found. This list is useful as a dictionary when cracking encrypted files or folders.

Recording Your Success (15 pts.)

In the Terminal window, execute this command:
grep samsclass domain_histogram.txt | head -n 1 | cut -f 2 | md5sum
The result is a long MD5 hash starting with cb4, as shown below.

Use the form below to put your name on the WINNERS PAGE.

Your Name:
MD5 hash (redacted in the image above):

Challenge 1: Another Windows Server 2016 Memory Dump (10 pts.)

Download, unzip, and analyze this file:

memdump2016.mem.zip

The file is 151,799,629 bytes in size, and its MD5 hash is aa1095f89a2992adeb6b5d2bb519e1ee.

That memory dump contains an email address ending in "@wazuh.com". Find it and use the form below to put your name on the WINNERS PAGE.

Your Name:
Email address:

Challenge 2: Windows Server 2008 Memory Dump (15 pts.)

Download, unzip, and analyze this file:

memdump.7z

The file is 130,398,701 bytes in size, and its MD5 hash is 364fed484bcdd1a1f81a3538a4b1cd9a.

To unzip a .7z file in Kali, use "7z x filename"

That memory dump contains a credit card number beginning with 3728. Find it and use the form below to put your name on the WINNERS PAGE.

Your Name:
Credit card number:

Last Modified: 5-18-18