There should be a memdump.mem file on your Windows desktop. Drag it out of the virtual machine and drop it on the host Windows 7 machine's desktop.
When the copy finishes, close the Windows virtual machine.
Launch your Kali Linux machine. If necessary, log in as root with the password toor
Drag the memdump.mem file from your Windows 7 host machine's desktop and drop it on your Kali Linux desktop.
Note: the VMware Tools copy process is buggy and sometimes fails to copy the entire file.
You may see an error message and have to click "Retry".
Note that the last command is "LS -L" in lowercase.
You should see the memdump.mem file, which should be approximately 500 MB in size, as shown below.
In your Kali Linux machine, in a Terminal window, execute this command:
If you see a message saying "xml is inconsistent at line 142," that means the output folder already exists.
bulk_extractor -o bulk -e wordlist memdump.mem
To fix it, replace "-o bulk" with "-o bulk2".
This tells Bulk Extractor to gather data from the memdump file, put the results in a folder named "bulk", and compile a wordlist of all readable strings.
Bulk Extractor will take several minutes to run and output progress messages, as shown below:
You see the files Bulk Extractor created, finding IP addresses, domains, emails, and many other things, as shown below:
You see the domains visited on this computer, and the number of times each was visited, as shown below:
Press Ctrl+X to close nano.
You should see your phone number, as you entered it in the form AccessData required you to fill out to download FTK Imager.
Press Ctrl+X to close nano.
You see the credit card numbers found, as shown below:
You see the words found, and the number of times each word was found. This list is useful as a dictionary when cracking encrypted files or folders.
You see the email addresses used on this computer, and the number of times each was visited. Scroll down and find your own email address, as shown below:
Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.
Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
On the host machine, not the virtual machine, click Start.
Type mspaint into the Search box and press the Enter key.
Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.
Save the document with the filename "YOUR NAME Proj 3", replacing "YOUR NAME" with your real name.
You can open the packets.pcap file in Wireshark. When I did it, most of the packets were garbled, but there were some intact NetBIOS packets.
Send a Cc to yourself.