Digital Forensic

Assignment 3 (memory analysis)

Name: Atif Ali

Roll-No: MSCS-LT-507880

Ans: Yes done and after that dumped memory with “dumpit.exe”.
Ans: Commands executed on ‘memory dump’ are following, and result has
been saved in .txt files (present in folder).
 Kdbgscan: As opposed to imageinfo which simply provides profile suggestions, kdbgscan is
designed to positively identify the correct profile and the correct KDBG address (if there
happen to be multiple). So result was profile info.

 Pslist: Listed the processes.

  psscan : Scans process to detect if any DKOM(Direct kernel object manipulation is a
common rootkit technique for Microsoft Windows to hide potentially damaging third-
party processes, drivers, files, and intermediate connections from the task manager and
event scheduler), since there was no DKOM processes so no result found on this
command.
 Pstree: Listed processes in tree form. Child process were indicated using indention and
periods.
 Getsids: showed SIDs (Security Identifiers)/users associated with each process.
 Malfind: detected malicious (DLL's in the) processes.
 Malfind (-D): used to dump malicious code/process.
 vadinfo: (Virtual Address Descriptors) displayed extended information about a
process's VAD nodes(e.g. The VAD Tag ,The VAD flags, control flags, The name of the
memory mapped file (if one exists) etc. ).
 Ldrmodules: Listed DLLs for processes.
 Dlldump: extracted DLLs from a process's memory space and dumped it to disk (for analysis).
 Handles: displayed the open handles in process.
 Scanfiles: Listed all files.
 Dumpfiles: Dumped my project file.

Ans: I could not find stuxnet malware image.

Ans:
PID Image name & hash PPID Psexplorer/Psmoniter Malicious/benign
Sysinternals comments
2600 explorer.exe 2600 benign
d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef
2192 FoxitPhantom 2600 2192 benign
93b2ed4004ed5f7f3edefd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8
4 System 0 4 benign
272 smss.exe 4 272 benign
d8571652a044c807142ebeb317433d7c8589d7e264de2df90da61aa98fd81b83
388 csrss.exe 376 388 benign
cb1c6018fc5c15483ac5bb96e5c2e2e115bb0c0e1314837d77201bab37e8c03a
492 lsm.exe 368 492 benign
d205b2c163e78ab42a5d67d7664ef6b75ea0374ff0924467d624f9db0611f0ad
Explorer.exe is already a main process, it does not have a parent process.
I used Process Explorer to verify process PID and this tool also give option to
check its benign/malicious behavior (based on its signature) on virus-total.
Ans: I successfully dumped my project file. Its size was a little bit larger than original file.
And consequently hash was not same.