CNIT 121 Project 3: Analyzing a RAM Image with Bulk Extractor (15 Points)

What You Need for This Project

Start Your Windows Machine

Launch your Windows machine. If necessary, log in as Administrator with the password P@ssw0rd If you are given a choice, start it with the full RAM, not the reduced amount.

There should be a memdump.mem file on your Windows desktop. Drag it out of the virtual machine and drop it on the host Windows 7 machine's desktop.

When the copy finishes, close the Windows virtual machine.

Start Your Kali Linux Machine

You may find it helpful to add RAM to your Kali Linux virtual machine to make it faster. I increased mine to 2 GB.

Launch your Kali Linux machine. If necessary, log in as root with the password toor

Drag the memdump.mem file from your Windows 7 host machine's desktop and drop it on your Kali Linux desktop.

Note: the VMware Tools copy process is buggy and sometimes fails to copy the entire file.

You may see an error message and have to click "Retry".

Running Bulk Extractor

In your Kali Linux machine, open a Terminal window and execute these commands:
cd

cd Desktop

ls -l

Note that the last command is "LS -L" in lowercase.

You should see the memdump.mem file, which should be approximately 500 MB in size, as shown below.

In your Kali Linux machine, in a Terminal window, execute this command:

bulk_extractor -o bulk -e wordlist memdump.mem
If you see a message saying "xml is inconsistent at line 142," that means the output folder already exists.

To fix it, replace "-o bulk" with "-o bulk2".

This tells Bulk Extractor to gather data from the memdump file, put the results in a folder named "bulk", and compile a wordlist of all readable strings.

Bulk Extractor will take several minutes to run and output progress messages, as shown below:

Viewing the Results

In the Terminal window, execute these commands:
cd bulk

ls -l

You see the files Bulk Extractor created, finding IP addresses, domains, emails, and many other things, as shown below:

Domain Names

In the Terminal window, execute this command:
nano domain_histogram.txt
You see the domains visited on this computer, and the number of times each was visited, as shown below:

Press Ctrl+X to close nano.

Telephone Numbers

In the Terminal window, execute this command:
nano telephone_histogram.txt
You should see your phone number, as you entered it in the form AccessData required you to fill out to download FTK Imager.

Press Ctrl+X to close nano.

Credit Card Numbers

In the Terminal window, execute this command:
nano ccn_histogram.txt
You see the credit card numbers found, as shown below:

Word List

In the Terminal window, execute this command:
nano wordlist.txt
You see the words found, and the number of times each word was found. This list is useful as a dictionary when cracking encrypted files or folders.

Email Addresses

In the Terminal window, execute this command:
nano email_histogram.txt
You see the email addresses used on this computer, and the number of times each was visited. Scroll down and find your own email address, as shown below:

Saving a Screen Image

Make sure your email address is visible.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

On the host machine, not the virtual machine, click Start.

Type mspaint into the Search box and press the Enter key.

Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.

Save the document with the filename "YOUR NAME Proj 3", replacing "YOUR NAME" with your real name.

Other Files to Examine

Look in url_searches.txt to see the searches you performed--one of them should be "fake credit card numbers".

You can open the packets.pcap file in Wireshark. When I did it, most of the packets were garbled, but there were some intact NetBIOS packets.

Turning In Your Project

Email the image to me as an attachment to an e-mail message. Send it to: cnit.121@gmail.com with a subject line of "Proj 3 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Last Modified: 9:41 pm 2-12-2014