Capturing_Dynamic_Evidence

Page historylast edited by Patrick 2 weeks, 3 days ago

RAM and Swap Capture

For your work on the last two assignments, Ms. Wilde has promoted you to the rank Chief Digital Evidence Examiner at Palindrome. Shortly after, a phone call from the county Sheriff’s office was transferred to you. The deputy explains that earlier, a suspected pipe bomb exploded in an aviation facility and a person was detained while attempting to flee the scene. Deputies are currently at the suspect’s house and they believe there is evidence on the suspect’s computer, which is currently powered on, that is related to the investigation; the Deputy is afraid of powering off the computer first and potentially losing some evidence. 

You meet the deputy at the door along with their in house computer examiner who asks you to copy the volatile evidence so they can shut down the computer and make a forensic duplicate of the drive for analysis later. The computer is a Dell running XP and with 512MB RAM installed (I know what you’re thinking, but don’t laugh too much: It was an easy way to provide to you a full, working VM that wasn’t absurdly large to download!). Using your trusty USB thumb drive with FTK Imager installed, you make your copy to analyze and as you’re leaving, over hear the suspect yell at the deputy “I’m not lying! I’ve never heard of the Unabomber!” You’ve been tasked with finding any evidence which may cast doubt on the suspect’s statement.

Deliverables

A non-technical management summary that explains what you were asked to do, what you did, and your findings.

A technical summary that explains the tools and procedures you used and what you recovered.

Be specific about the procedures – Numbered step 1, step 2, step 3, etc.)

Your results section should have the evidence you recovered, along with descriptions of the evidence.  

1. A conclusion section that explains how (if?) you were able to prove the suspect was lying.
2. Software

You can choose either option

1. Download FTK Imager 3.2.0:
2. AccessData Product Downloads
3. Follow These Directions

Run FTK Imager from a flash drive (Imager Lite) : Support Portal

Original FTK Imager Lite 3.1.1

FTK Imager Lite 3.1.1

• Original version of Lite which extracts directly to a USB

Important!

USB 3.0 devices will not work inside this XP VM. If you’re having trouble getting the VM to recognize you have a flash drive attached, make sure you’re not using a USB 3.0 drive.

Setup

Have FTK Imager installed and ready to go on a USB (Not 3.0) flash drive. You won’t install Imager in the virtual machine; doing so would change evidence and you wouldn’t have the time before valuable volatile information was lost.

• Note that I said FTK Imager and NOT FTK; we will not need or be using the full version of FTK

Download the compressed VM and unzip it.  Inside the extracted Windows XP RAM Capture directory is a  is a file which ends in .vmdk : If you add/open that in Workstation or just double click, this will start the VM. Don’t do that until you’re ready! The VM is in a suspended and will begin running from where it was paused meaning the contents of RAM will begin to change from that point.

• Download and install strings and Photorec if you’re doing the analysis in Windows otherwise you can use ‘strings’ in Linux and PhotoRec (sudo aptitude install photorec)

Procedure

• Remember that as the VM is running, the content of RAM and the swap file are changing. I suggest doing this procedure more than once to get the procedure down, delete the extracted VM folder, extract a new copy, and start the process over for the assignment.

Use FTK Imager to dump the RAM and the swap.

• Make sure the location being saved to is your flash drive and not the the virtual machine.

Run strings on the RAM dump and swap file.  

Use a text editor to search for any evidence that may indicate the suspect is lying.

• Hint: Use Google before you run the search to do a little preliminary investigation on what keywords may be useful

We’ll probably be on some watch list after this so don’t forget to occasionally say hello to our new government surveillant

• Just type something out now and again. Don’t worry, they’ll see!

Recover any lengthy text which would be useful in proving the suspect is lying.

Include a few paragraphs of the text document in your report in an appendix.

Note whether you were able to recover the entire content of the document(s) by finding the original document and comparing.

Taking a hash will not work in this situation; you’ll have to visually compare.

Note the origin of the recovered text – RAM or Swap

1. Recover any graphics files in RAM and swap.  

Include these files, along with hashes of each file, in your report.  

1. Note the source – RAM or Swap – of where the recovered files came from
2. Include a few examples of web searches the suspect performed.
3. Note which search may have lead to the recovered text

Note the source as well – RAM or Swap

Use ‘www.tineye.com’ to do a reverse image search on any graphics files you found.

Did you get any hits? If not, what is your best guess as to why there were no hits.

1. Hint: How does tineye.com work and how does a carving tool carve files from an image?

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.