Sunday, November 1, 2015

Volatility Memory Forensics - Investigation a potential virus situation - Part 2



Part 1 | Part 3 | Part 4 | Part 5

Analysis

See Appendix C for details regarding the creation of Preservation and Working copies. The Working Copy was used for all analysis.

Prior to reinstalling the machine it was powered on so that a visual can be had of the environment. At this point, nothing stood out or “popped” up on the screen. With the exception of logging in and executing the “dumpit.exe” memory acquisition tool, no other interaction was done with the system. The “dumpit.exe” tool was used to write the contents of memory to a USB drive. The next step was to create a “.zip” file of the acquired memory image, using “WinRar”. Upon completion, the “fciv.exe” tool was used to obtain a MD5 hash of the acquired image. This hash was stored in a text file on the USB drive.

The acquired memory image was then transferred to the analysis machine. After the file was copied, “md5sum” was performed on the image. The computed hash matched that of the original.
Figure 1:shows hash being verified and the file extracted with unrar


Volatility

Identifying the image

While it was mentioned that the system was running Windows 7 and because not much interaction was performed with the system, the first step was to verify the memory image to obtain information about the operating system (OS). By executing the command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose imageinfo --kdbg=0xf6fc0001a0f0 --dbt=0x187000 --profile=Win7SP1x64” the examiner was able to determine that the system was running 64 bit Windows 7 Service Pack 1.
Figure 2: Above shows the operating system as Windows 7 Service Pack 1


Verifying Install Date

Because of her concern that the system is slow, the decision was taken to determine the date the computer OS was installed. To achieve this, the command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 printkey --hive-offset=0xfffff8a0008d2410 --key="Microsoft\Windows NT\CurrentVersion" > install-date.txt” was executed. Next the command “cat install-date.txt” was executed. The date had a value of “1315321263”.

Figure 3:Above shows the highlighted time in epoch.


When the value was converted using epochconverter.com it reported an install date of “Tue, 06 Sep 2011 15:01:03 GMT”.

Figure 4:Time converted from epoch to human readable



Identifying Network Connections

As no manual effort was made to establish Internet activity, the first step was to look at the list of network connections using the command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 netscan > netscan-results.txt”. Next the command “cat netscan-results.txt” was executed.

From the results the items of interest were
0x13301fcf0        TCPv4    -:49501                        209.148.192.43:80    CLOSED           1324     svchost.exe   

0x133ac8010        TCPv4    -:0                            168.211.9.8:0        CLOSED           1        ?8A????      

0x134ee5010        TCPv4    192.168.0.38:49498             208.111.170.136:80   ESTABLISHED      1056     svchost.exe   

0x13749dc00        TCPv4    -:49502                        108.162.232.204:80   CLOSED           1956     avp.exe       

These IPs were considered interesting because they were associated with externals resources. While the first two addresses were not seen within the Virus Total database, the third and fourth were known to Virus total and had a number of malicious URLs associated with them.



Other posts in this series
Volatility Memory Forensics - Investigation a potential virus situation - Part1
Volatility Memory Forensics - Investigation a potential virus situation - Part2
Volatility Memory Forensics - Investigation a potential virus situation - Part3
Volatility Memory Forensics - Investigation a potential virus situation - Part4
Volatility Memory Forensics - Investigation a potential virus situation - Part5


No comments:

Post a Comment