CET4861 Advanced Digital Forensics

Assignment 5

CET4861 Advanced Digital Forensics

Ram and Swap Capture

Dr. Philip Craiger

Objective:

You are working as CDEA (Chief Digital Evidence Examiner) for HAL, Inc. You receive a phone call from the county sheriff’s office. The deputy tells you that a pipe bomb exploded in a local college’s aviation department. The suspect was seen fleeing from the scene.

Deputies are currently at the suspect’s house. A deputy says they believe there is evidence on the suspect’s computer that is related to the crime. He says ‘get over here right away.’

Luckily you are only a block from the suspect’s house. You meet the deputy at the door. The sheriff’s computer examiner is there. The examiner says she wants to create an image of the computer’s hard drive, but she requests that you gather volatile information prior to her doing so.

The computer is a Dell running XP and has 512MB RAM. You know time is of the essence. You have a USB thumb drive with FTK Imager 3.1.1 installed. (Hint hint: You’ll have to have a USB flash drive with FTK Imager installed. Do this PRIOR to starting the assignment).

You complete your work. As you are leaving with the evidence you hear the suspect yell at the deputy “I’m not lying! I’ve never heard of the Unabomber!”

Huh … What the suspect said might be important for your assignment. 🙂

Procedure:

  1. Watch the videos. Watch them again. Write down the procedures you will use as this will assist you in efficiently executing the procedures. You’ll also need these for a ‘notes’ section in your writeup.
  2. Download the compressed VM (700MB, 1.4GB unzipped). Unzip it. Find the *.vmdk, and double click. This should start VMWare and open the XP VM. The VM has been suspended (i.e., it start in its former running state when you run the VM). Insert your thumb drive. Run the VM. Go!

a. Remember that as the VM is running that the contents of RAM and the swap file are changing. Time is of the essence! Don’t dawdle. I would suggest doing this procedure once as practice. Get your technique down pat. Then delete the contents of the VM folder, unzip the VM again, and start the process all over. That’s what I did!

  1. Use FTK Imager to dump the RAM and the swap file per the video. Make sure to dump the files to your thumb drive!
  2. Download and install strings and Photorec per the video. I assume you are doing this under Windows. This gives us some practice in using Windows-based forensic tools.
  3. Run strings on the RAM dump and swap file. Use your favorite text editor (or better, install notepad++), and use notepad++ search facility “Find All in Current Document” to find evidence that the suspect IS lying. (Hint: Use Google BEFORE you run the search to do a little preliminary investigation. Find some keywords.)
  4. Recover:

a) any lengthy text documents that would be useful in proving the suspect is lying. This is where knowing what you are searching for is important. Include the few paragraphs of the text document in your report (in an appendix). Note whether you were able to recover the entire contents of the document, meaning you’ll need to find the original document and compare. Hashing probably won’t work here, you’ll need to eyeball and see if the contents are the same.

b) any graphics files in RAM and swap. Include these files, along with hashes of each file, in your report. Note which file the recovered files came from (RAM or swap).

c) and include web searches as well (a few examples are good, not too many). Note which file the recovered text came from.

  1. Use ‘www.tineye.com’ to do a reverse image search on any graphics files you found. Did you get any hits? If not, what is your best guess as to why there were no hits? (Hint: How does tineye.com work, and how does a carving tool carve files from an image?).

Deliverables:

  1. A non technical management summary that explains what you were asked to do, what you did, and your findings.
  2. A technical summary (“notes”) that explains the tools and procedures you used, and what you recovered. Be specific about the procedures (Numbered step 1, step 2, step 3, etc.). Your results section should have the evidence you recovered, along with descriptions of the evidence. Include a conclusion section that explains how you proved the suspect was lying.

..final.doc/pdf

That’s a lot of work and writing, so make it good! Note that under each section above I listed several things to include, make sure you include EVERYTHING I’ve requested!

Have fun!

Leave a Reply

Your email address will not be published. Required fields are marked *