CNIT 121 Project 4: Analyzing a RAM Image with Volatility (15 Points)

What You Need for This Project

Start Your Kali Linux Machine

Launch your Kali Linux machine. If necessary, log in as root with the password toor

Finding the RAM Image to Examine

In your Kali Linux machine, open a Terminal window and execute these commands:
cd

cd Desktop

ls -l

Note that the last command is "LS -L" in lowercase.

You should see the memdump.mem file, which should be approximately 500 MB in size, as shown below. If you do not, you may need to repeat a previous project to create the memory image again.

Troubleshooting

If you can't get this to work, which is happening to a lot of students, try using my memory dump from here:

memdump.7z

Extract and check the file with these commands in Linux:


7z e memdump.7z

md5sum memdump.mem
The correct hash is

b50ae13dc659ec9c8af66b539e5768d8

If you use it, explain that in the text part of the email you send in so my grader knows your name won't be in the artifacts you find.

Starting Volatility

In your Kali Linux machine, in a Terminal window, execute these commands:
cd /usr/share/volatility

python vol.py -h

You see a long help message, as shown below:

The volatility help is long and confusing.

Fortunately, SANS has made a handy one-page cheat sheet which is much friendlier. The part that is important to us is shown below:

Basic Volatilty Usage

Image Information

In your Kali Linux machine, in a Terminal window, execute this command:
python vol.py imageinfo -f /root/Desktop/memdump.mem
This shows basic information about the image, such as the operating system of the machine that was imaged, and when the image was made, as shown below:

Volatility needs to know what operating system was imaged in order to interpret the memory image correctly. The default profile is WinXPSP2x86, but we used Win2008SP1x86, so we'll have to include that information in all future volatility command-lines.

Running Processes

In your Kali Linux machine, in a Terminal window, execute this command:
python vol.py pslist --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem
This shows the processes that were running on the machine when the RAM image was made, as shown below:

Notice these columns:

Console Commands

In your Kali Linux machine, in a Terminal window, execute this command:
python vol.py consoles --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem
This shows the console commands that were recently executed on the Windows machine.

You should see the command you executed to create the user account with your own name, as shown below:

Saving a Screen Image

Make sure YOUR-NAME and the Linux command prompt root@kali are visible.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

On the host machine, not the virtual machine, click Start.

Type mspaint into the Search box and press the Enter key.

Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.

Save the document with the filename "YOUR NAME Proj 4a", replacing "YOUR NAME" with your real name.

Services

In your Kali Linux machine, in a Terminal window, execute this command:
python vol.py svcscan --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem | more
This shows the first page of a long list of services, as shown below:

Registry Hives

In your Kali Linux machine, in a Terminal window, execute this command:
python vol.py hivelist --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem
This shows the location in RAM of the Registry hives, as shown below:

Examine your output and find the two addresses outlined in green above: the virtual addresses of the SAM and SYSTEM hives. Those two hives together contain enough information to extract Windows password hashes.

Password Hashes

In your Kali Linux machine, in a Terminal window, execute the command below.

You will have to replace the two hexadecimal addresses with the correct virtual addresses of your hives, in this format:

-y SYSTEM -s SAM

python vol.py hashdump --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem -y 0x86226008 -s 0x89c33450
When you get the command correct, you will see the login account names and hashed passwords, including one showing your name, as shown below:

Saving a Screen Image

Make sure your name is visible.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

On the host machine, not the virtual machine, click Start.

Type mspaint into the Search box and press the Enter key.

Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.

Save the document with the filename "YOUR NAME Proj 4b", replacing "YOUR NAME" with your real name.

Cracking the Password Hash

Windows stores two hashes with each password, delimited by colons. The first one is an extremely insecure, obsolete hash using the LANMAN algorithm. Windows operating systems since Vista no longer use LANMAN hashes, so they are filled with a dummy value starting with "aad".

The second hash is the newer NTLM hash, which is much better than LANMAN hashes, but still extremely insecure and much more easily cracked than Linux or Mac OS X hashes.

To crack your password, highlight the hash value, as shown below, right-click it, and click Copy.

On your host Windows 7 machine, open a Web browser and go to

https://crackstation.net/

Paste in the hash. On the right side, fill in the CAPTCHA and click the "Crack Hashes" button.

The hash should crack, revealing the password of "SuperSecret!", as shown below.

Turning in Your Project

Email the images to me as an attachments to an e-mail message. Send it to: cnit.121@gmail.com with a subject line of "Proj 4 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Sources

Volatility Memory Forensics | Basic Usage for Malware Analysis

Memory Forensics and Analysis Using Volatility

SANS Memory Forensics Cheat Sheet

Basic Volatility Usage - An advanced memory forensics framework - Google Project Hosting


Last Modified: 9:18 pm 2-19-2014