Scribd Logo
Upload

Welcome to Scribd!

  • Experiment-2 Digital Forensics AIM-Capture The Memory of Any OS System and Try To Analyse .Mem File On Kali Using Volatility Tool DATE: 06-02-2021

    Uploaded by

    TANISHA PATHAK
    17 views21 pages
    Digital forensics FTK Imager Report

    Original Title

    EXPERIMENT-2

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Digital forensics FTK Imager Report

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views21 pages

    Experiment-2 Digital Forensics AIM-Capture The Memory of Any OS System and Try To Analyse .Mem File On Kali Using Volatility Tool DATE: 06-02-2021

    Uploaded by

    TANISHA PATHAK
    Digital forensics FTK Imager Report

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    EXPERIMENT-2

    DIGITAL FORENSICS
    AIM- Capture the Memory of any OS System and try to
    analyse .mem file on Kali using Volatility tool
    DATE: 06-02-2021
    _______________________________________________
    PART 1- To create Windows memory dump using FTK Imager
    STEP 1- Open and run FTK Imager Tool.
    STEP 2- Go in the File option and select Capture Memory option
    STEP 3- Set Destination Path to save the memory dump.

    STEP 4- Start Memory Capture and observe the status/progress.

    STEP 5- Memory Capture is completed successfully.

    ___________________________________________________________________________

    PART 2- Analyze Stuxnet and Windows RAM Dump with Volatility


    To get more information of memory image
    Command: volatility -f abc.vmem imageinfo
    For stuxnet.vmem
    For windows memory dump

    To detect malicious process


    To list out all the processes running at the time memory dump was created.
    Command: volatility -f abc.vmem pslist
    To view the processes listing in the tree form
    Command: volatility -f abc.vmem pstree
    For stuxnet.vmem
    For windows memory dump
    To detect malicious connections
    To find out if these malicious processes were making connections, when the memory was
    dumped.
    Command: volatility -f abc.vmem connections

    To identify the ports that were listening in the computer.


    Command: volatility -f abc.vmem sockets
    To detect DLL
    To find out about dll’s, when the memory was dumped.
    Command: volatility -f abc.vmem dlllist -p pid | wc -l
    volatility -f abc.vmem ldrmodules -p pid
    To get more information about this command
    Command: volatility -f abc.vmem ldrmodules -p pid -v
    To detect Injected Code
    To identify hidden or injected code/DLLS in the user mode memory. Then we will export
    these DLLs and we will upload them to www.virustotal.com to check if an anti-virus detects
    them.
    Command: volatility -f abc.vmem malfind -p pid –dump-dir evidences/
    Then upload these files to www.virustotal.com to find out if some anti-virus vendor detects
    them as malicious files. In accordance to not upload the files, we will obtain the sha256
    checksum of the files and then we will search on the Virustotal website.
    Results after uploading on www.virustotal.com website
    To detect API Calls
    To find API hooks of this memory dump that are related with some malicious processes.
    Command: volatility -f abc.vmem malfind apihooks -p pid
    To detect Malicious Drivers
    To find out about the previously unloaded drivers and drivers that have been unlinked or
    hidden by rootkits.
    Command: volatility -f abc.vmem modscan
    To detect Register Keys
    To identify the register keys that have been added to the computer.
    Command: strings abc.vmem | grep -I mrx | grep -i Services
    volatility -f abc.vmem printkey -K ‘ControlSet001\Services\MrxNet’(example)

    You might also like