CNIT 121 Project 19: RAM Capture and Analysis (15 pts.)

What You Need for This Project

A Windows 7 computer, real or virtual.

Downloading and Installing Mandiant Memoryze

In a browser, go to

https://www.mandiant.com/resources/download/memoryze

Click the "Download Memoryze" link, as shown below. Verify the hash using HashCalc or a similar tool.

Right-click the Memoryze.zip file and click "Extract All...".

In the "Extract Compressed (Zipped) Folders" box, click Extract.

A "Memoryze" window opens. Double-click the "Memoryze" folder.

Double-click the MemoryzeSetup2.0.msi file.

Install the software with the default options.

Creating an Internet Explorer Process with Data in it

Open Internet Explorer.

Go to http://wikipedia.org and click English.

On the upper right, click "log in".

Enter your own name for the user name, enter the password SWORDFISH123, as shown below.

Click the "Log In" button.

You see a "Login error" message. That doesn't matter--we just want to place that password into RAM.

Leave Internet Explorer open.

Analyzing Live RAM

You can capture an image of RAM with MemoryDD.bat, but it consumes a lot of disk space and it will lead to problems in the S214 lab, so we'll analyze live RAM instead.

In a real investigation, however, you would normally capture RAM and analyze it later.

Listing All Processes

Click Start, type in CMD, and press Shift+Ctrl+Enter.

In the "User Account Control" box, click Yes.

In the Administrator Command Prompt window, execute these commands, pressing Enter after each one:

cd \Program Files cd MANDIANT\Memoryze
DIR

You should see several available programs, including MemoryDD.bat, as shown below:

In the Administrator Command Prompt window, execute these commands, pressing Enter after each one.

Replace "YOUR-NAME" with your own name, written without any embedded spaces.

mkdir YOUR-NAME
Process.bat -output YOUR-NAME

A second command prompt window pops up, showing the progress of the analysis, as shown below.

Wait for the box to close.

To see the results, click Start, Computer.

Navigate to C:\Program Files\MANDIANT\Memoryze\YOUR-NAME\Audits

Open the folder inside the Audits folder, with your computer's name on it.

Open the folder with a long numerial name starting with the current year.

You see several XML files, as shown below:

Double-click the file with the long name starting with mir.

A list of processes opens in Internet Explorer, as shown below:

Find a process with a name of iexplore.exe and highlight that line, as shown above.

Saving a Screen Image

Make sure your screen shows iexplore.exe highlighted. Save a screen image it with the filename "Your Name Proj 19a".

Capturing Strings from the Internet Explorer Process Memory

In the Administrator Command Prompt window, execute this command.

Replace "YOUR-NAME" with your own name, written without any embedded spaces.

Process.bat -output YOUR-NAME -process iexplore.exe -strings true

A second command prompt window pops up, showing the progress of the analysis.

Wait for the box to close. To see the results, click Start, Computer.

Navigate to C:\Program Files\MANDIANT\Memoryze\YOUR-NAME\Audits

Open the folder inside the Audits folder, with your computer's name on it.

Open the folder with a long numerial name starting with the current year. If there are more than one such folder, open the bottom one.

You see several XML files, as shown below.

Find the large file (mine was 30 MB) with the long name starting with mir.

DON'T DOUBLE-CLICK IT! I tried that and it freezes Internet Explorer.

Instead, right-click it and open it with Wordpad.

Click in the Wordpad window, and press Ctrl+F.

Search for the string SWORDFISH

You should find it, as shown below.

Saving a Screen Image

Make sure your screen shows SWORDFISH123 highlighted. Save a screen image it with the filename "Your Name Proj 19b".

Turning in your Project

Email the images to cnit.121@gmail.com as attachments. Use a subject line of "Proj 19 From Your Name", replacing "Your Name" with your own first and last name. Send a Cc to yourself.

Sources

http://www.subhashdasyam.com/2011/10/mandiant-memoryze-is-free-memory.html

Last Modified: 4-25-13 8:32 PM