Scribd Logo
Upload

Welcome to Scribd!

  • Lab 4a

    Uploaded by

    Quach Hoang Nam (K16HCM)
    2 views6 pages
    This document provides instructions for creating a RAM image on a Windows machine with reduced memory: 1. Boot the machine into a "Low-Memory" mode using the bcdedit command to limit RAM to 2GB. 2. Create evidence in RAM by searching for credit card numbers online, copying them to Notepad, and creating user accounts using net user commands. 3. Acquire the RAM image using FTK Imager to capture memory and save the image to the desktop.

    Original Description:

    Original Title

    LAB 4A

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for creating a RAM image on a Windows machine with reduced memory: 1. Boot the machine into a "Low-Memory" mode using the bcdedit command to limit RAM to 2GB. 2. Create evidence in RAM by searching for credit card numbers online, copying them to Notepad, and creating user accounts using net user commands. 3. Acquire the RAM image using FTK Imager to capture memory and save the image to the desktop.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views6 pages

    Lab 4a

    Uploaded by

    Quach Hoang Nam (K16HCM)
    This document provides instructions for creating a RAM image on a Windows machine with reduced memory: 1. Boot the machine into a "Low-Memory" mode using the bcdedit command to limit RAM to 2GB. 2. Create evidence in RAM by searching for credit card numbers online, copying them to Notepad, and creating user accounts using net user commands. 3. Acquire the RAM image using FTK Imager to capture memory and save the image to the desktop.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    FRS301 - LAB 4A

    Quách Hoàng Nam - SE161409 - IA1705

    Start Your Machine


    Launch your Windows machine. If necessary, log in as Administrator with the password P@ssw0rd

    Reducing the Available RAM


    This step is not strictly necessary, but it will make the later steps faster if you make the RAM image
    smaller.
    Click Start, "Command Prompt". In the Command Prompt window, execute this command:
    bcdedit /copy {current} /d "Low-Memory"
    This makes a new boot entry labeled "Low-Memory".
    The GUID of the new menu entry appears--it's a long series of random numbers in curly braces, as
    shown below.
    Right-click on the GUID and click Mark.
    Carefully drag the cursor to highlight the GUID, as shown below. Then press the Enter key to copy it to
    the clipboard.

    In the Command Prompt window, execute this command, pasting in your correct GUID, which will be
    different from mine:
    bcdedit /set {f8ad3fac-fe82-11ed-bc15-000c29f89bbd} truncatememory 0x20000000
    You should see a message saying "The operation completed successfully."
    In the Command Prompt window, execute this command:
    bcdedit
    You should see a third "Windows Boot Loader" item with the "truncatememory" parameter set, as
    shown below:
    Restart the computer. A boot menu offers you two choices. Press the down-arrow key on the keyboard
    to select "Low-Memory", as shown below. Then press the Enter key to boot.
    Log in as Administrator with the password P@ssw0rd

    Creating Evidence
    Do these tasks to create evidence in RAM:
    With Google open, search for "fake credit card numbers". Open one of the pages it finds. It should
    show several credit card numbers, as shown below.
    Copy the numbers from the Web page into a Notepad file. Leave the Notepad file open.
    Open a second Notepad window and type in your own email address. Don't close Notepad or
    save the file.
    Open a Command Prompt window and execute the commands below. In the second command, replace
    the string "YOUR-NAME" with your own name, without any spaces.
    net user waldo Apple123 /add
    net user QUACHHOANGNAM SuperSecret! /add

    These commands create two new user accounts with the passwords "Apple123" and "SuperSecret!".

    Acquiring a RAM Image with FTK Imager


    An "AccessData FTK imager 3.1.2.0" window opens. From the menu bar, click File, "Capture
    Memory...", as shown below:
    In the "Memory Capture" box, click the Browse button. Click Desktop and click OK.
    In the "Memory Capture" box, click the "Capture Memory" button.
    You should see a box saying "Memory capture finished successfully", as shown below:

    You might also like