Project 3: Capturing a RAM Image (15 Points)

What You Need for This Project

• The Windows Server 2016 virtual machine you prepared in the previous project. If you don't have it, you could use any Windows machine, real or virtual.

Start Your Machine

Reducing the Availalable RAM

Click Start and type CMD

Right-click "Command Prompt" and click "Run as Administrator". If a User Account Control box appears, approve the privilege escalation.

In the Administrator: Command Prompt window, execute this command:

bcdedit /copy {current} /d "Low-Memory"

The GUID of the new menu entry appears--it's a long series of random numbers in curly braces, as shown below.

Right-click on the GUID and click Mark.

Carefully drag the cursor to highlight the GUID, as shown below. Then press the Enter key to copy it to the clipboard.

In the Command Prompt window, execute this command, pasting in your correct GUID, which will be different from mine:

bcdedit /set {86e99eaf-7802-11e3-a063-000c29c87fa0} truncatememory 0x20000000

In the Command Prompt window, execute this command:

bcdedit

Restart the computer. A boot menu offers you two choices. Press the down-arrow key on the keyboard to select "Low-Memory", as shown below. Then press the Enter key to boot.

Log in as Administrator with the password P@ssw0rd

Creating Evidence

1. Open Internet Explorer and go to https://accessdata.com/product-download

   Expand the FTK Imager" section and scroll down to "FTK IMAGER LITE VERSION 3.1.1". Click the "DOWNLOAD PAGE" button, as shown below.

   

   Fill in a form with your name and contact information, and a working email address, as shown below If you need a temporary email address, make one at "mail.com".

   Open your email to download the file. Save the FTK Imager file in your Downloads folder.

   

2. In Internet Explorer, visit these websites:
   • samsclass.info
   • ccsf.edu
   • bing.com

   With Bing open, search for "fake credit card numbers". Open one of the pages it finds. It should show several credit card numbers, as shown below.

   Copy the numbers from the Web page into a Notepad file, as shown below. Leave the Notepad file open.

   Open a second Notepad window and type in your own email address. Don't close Notepad or save the file.

   

3. Open a Command Prompt window and execute the commands below. In the second command, replace the string "YOUR-NAME" with your own name, without any spaces.

   net user waldo Apple123 /add

   net user YOUR-NAME SuperSecret! /add

   

   These commands create two new user accounts with the passwords "Apple123" and "SuperSecret!".

Acquiring a RAM Image with FTK Imager

Right-click the "Imager_Lite_3.1.1.zip" file and click "Extract All...". In the 'Extract Compressed (Zipped) Folders" box, clck Extract.

In the "Imager_Lite_3.1.1" window, double-click FTK_Imager.exe.

In the "Open File - Security Warning" box, click Run.

An "AccessData FTK imager 3.1.1.8" window opens. From the menu bar, click File, "Capture Memory...", as shown below:

In the "Memory Capture" box, click the Browse button. Click Desktop and click OK.

In the "Memory Capture" box, click the "Capture Memory" button.

You should see a box saying "Memory capture finished successfully", as shown below:

Installing HxD

In a Web browser, go to https://mh-nexus.de/en/hxd/

Scroll down and find the download link for modern Windows versions, as shown below.

Click the download link, download the English version, unzip it, and install it with the default options.

Viewing the Memory Image with HxD

In HxD, press Ctrl+F. Search for

samsclass.info

HxD finds the string and highlights it, as shown below.

On the right side of the HxD window, a pane shows various interpretations of this byte sequence. The Int32 value is a long number beginning with 19, as show below. Make a note of this number.

Recording Your Success

If you don't have a Canvas account, see the instructions here.

Name or Email: Int32 Value (redacted in the image above):

Sources