Project 3: Capturing a RAM Image (15 Points)

What You Need for This Project

The Windows Server 2016 virtual machine you prepared in the previous project. If you don't have it, you could use any Windows machine, real or virtual.

Start Your Machine

Launch your Windows machine. If necessary, log in as Administrator with the password P@ssw0rd

Creating Evidence

Do these tasks to create evidence in RAM:

Open Internet Explorer and go to https://accessdata.com/product-download
Expand the FTK Imager" section and scroll down to "FTK IMAGER LITE VERSION 3.1.1". Click the "DOWNLOAD PAGE" button, as shown below.
Fill in a form with your name and contact information, and a working email address, as shown below If you need a temporary email address, make one at "mail.com".
Open your email to download the file. Save the FTK Imager file in your Downloads folder.
In Internet Explorer, visit these websites:
- samsclass.info
- ccsf.edu
- bing.com
With Bing open, search for "fake credit card numbers". Open one of the pages it finds. It should show several credit card numbers, as shown below.
Copy the numbers from the Web page into a Notepad file. Leave the Notepad file open.
Copy the numbers from the Web page into a Notepad file, as shown below. Leave the Notepad file open.
Open a second Notepad window and type in your own email address. Don't close Notepad or save the file.
Open a Command Prompt window and execute the commands below. In the second command, replace the string "YOUR-NAME" with your own name, without any spaces.
net user waldo Apple123 /add
net user YOUR-NAME SuperSecret! /add

These commands create two new user accounts with the passwords "Apple123" and "SuperSecret!".

Acquiring a RAM Image with FTK Imager

Click Start, "File Explorer". Open your Downloads folder.

Right-click the "Imager_Lite_3.1.1.zip" file and click "Extract All...". In the 'Extract Compressed (Zipped) Folders" box, clck Extract.

In the "Imager_Lite_3.1.1" window, double-click FTK_Imager.exe.

In the "Open File - Security Warning" box, click Run.

An "AccessData FTK imager 3.1.1.8" window opens. From the menu bar, click File, "Capture Memory...", as shown below:

In the "Memory Capture" box, click the Browse button. Click Desktop and click OK.

In the "Memory Capture" box, click the "Capture Memory" button.

You should see a box saying "Memory capture finished successfully", as shown below:

Installing HxD

One way to explore the RAM inage is to use a raw hex viewer.

In a Web browser, go to https://mh-nexus.de/en/hxd/

Scroll down and find the download link for modern Windows versions, as shown below.

Click the download link, download the English version, unzip it, and install it with the default options.

Viewing the Memory Image with HxD

In HxD, click File, Open. Open the "memdump.mem" file on your desktop.

In HxD, press Ctrl+F. Search for

net use

HxD finds the string and highlights it, as shown below. You can see one of the command-line commands you created when making evidence.

In HxD, press Ctrl+F. Search for

samsclass.info

HxD finds the string and highlights it, as shown below.

On the right side of the HxD window, a pane shows various interpretations of this byte sequence. The Int32 value is a long number beginning with 19, as show below. Make a note of this number.

Recording Your Success

Use the form below to put your name on the WINNERS PAGE.

Your Name:

Int32 Value (redacted in the image above):

Sources

Boot Parameters to Manipulate Memory
Windows 7: BCDEDIT - How to Use

Last Modified: 5-17-18