CNIT 121 Proj X7: Procdump (10 pts.)

What You Need

A Windows machine, any version. I used a Server 2008 virtual machine.

Purpose

Dumping all the RAM on a machine gets all the evidence, but it's slow and creates a large file to analyze. That's appropriate for legal forensics work, but in incident response a faster, simpler, more target approach is better. In this project we use the Windows tool "procdump" to dump the RAM from just one process. We'll analyze it with Strings, to find the password.

Install Strings

If you don't already have Strings on your Windows system, open a browser and go here:

http://technet.microsoft.com/en-us/sysinternals/bb897439

Click the "Download Strings" link.

Save the Strings.zip file on your desktop. Unzip it, and copy strings.exe to the C:\Windows\System32 folder.

Install Procdump

Open a browser and go here:

https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

Click the "Download ProcDump" link.

Save the Procdump.zip file on your desktop. Unzip it, and copy procdump.exe and procdump64.exe to the C:\Windows\System32 folder.

Install TeamViewer

In your Windows machine, open a browser and go here:

https://www.teamviewer.com/en/

Click the "Download Teamviewer" button. Install the software with the default options. TeamViewer opens, as shown below, showing an ID and Password.

Finding the Process ID with Task Manager

Move the mouse into the gray taskbar at the bottom of the desktop. Right click, and click "Task Manager", as shown below.

In Task Manager, cick the Process tab. From the menu, click View, "Select Columns...".

In the "Select Process Page Columns" box, check "PID (Process Identifier)", as shown below. Click OK.

Find the TeamViewer.exe process, as shown below. Make a note of it's PID. In the image below, the PID was 2296, but yours will be different.

Opening an Administrator Command Prompt Window

Click Start, Run, type CMD and press Enter. A window titled "Administrator Command Prompt" opens, as shown below.

If you don't see the word "Administrator" in the title bar, you haven't successfully opened the correct window. Microsoft changes the procedure in each Windows version--Google how to open it for your version of Windows.

Capturing RAM with ProcDump

In the Administrator Command Prompt window, execute this command, replacing the process ID with the correct value for your TeamViewer process:

procdump -ma 2296

If an error box pops up, as shown below, just ignore it and click OK.

Procdump finishes, producing a memory capture file only 116 MB in size, as shown below.

Analyzing RAM with Strings

In the Administrator Command Prompt window, execute these commands, replacing the .dmp filename with the correct name of your RAM capture file.

The first command extracts the readable strings from the RAM capture and puts them in a file named "str.txt".

The second command opens "str.txt" in Notepad.

strings TeamViewer.exe_160911_125738.dmp > str.txt notepad str.txt

After a few seconds, the file appears in Notepad. In Notepad, click Edit, Find.

Search for your TeamViewer password. You should find it, as shown below.

Saving the Screen Image

Make sure both the TeamViewer and Notepad windows show the SAME PASSWORD, as shown above.

Click the host computer's desktop. Press Shift+PrntScrn key to capture the entire desktop.

YOU MUST SUBMIT A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Save this image as a PNG file, named "Proj X7 from YOUR NAME"

Turning in Your Project

Email the image to cnit.121@gmail.com with a subject of "Proj X7 from YOUR NAME".

Source

TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure

Posted 9-11-16
modified 9-14-16
Sam Bowne