Tracable systems and computer forensics
sannidha1989
A3_Instructions.docxCF – Assignment 3
Memory Forensics
|
Name |
ID |
|
|
|
Objectives:
· Working with a memory dump
· Using the volatility tool to analyze the memory data
· Identify the use and output for different plugins
· Identify suspicious activity in the memory dump
· Extract memory regions and note signs of malicious behavior
In this work, you will be given a memory dataset that has security issues, i.e. infected. You have to analyze the data and find answers for the questions:
|
|
Question |
Answer |
Points |
|
1 |
Dataset profile? |
|
2 |
|
2 |
Number of all processes Number of active processes |
|
2 |
|
3 |
The parent of the lsass.exe? |
|
2 |
|
4 |
The parent of services.exe? |
|
2 |
|
5 |
Issue of services.exe and its children |
|
2 |
|
6 |
PID 680 uses port? |
|
2 |
|
7 |
PID 1928 uses port? |
|
2 |
|
8 |
DLLs of PID 680 _______, and PID 1928 _______ |
|
2 |
|
9 |
In the PID 680, 868, 1928 There is malicious behavior in the regions of PID/s_________________? |
|
2 |
|
10 |
The protection of explorer.exe is PAGE__________? |
|
2 |
|
11 |
The MZ signature is found in memory regions of processes names_______________? |
|
5 |
|
12 |
Using the plugin procdump, number of files generated with errors _____________? |
|
5 |
|
13 |
List 3 Mutants with names ending with _MUTEX |
|
5 |
|
14 |
Bonus: Name what infected the dataset? |
|
10 |
|
|
|
|
|
Guidelines:
For the assignment above, you need to consider the following:
1- To be done individually.
2- Use the Virtual machine Parrot Linux for the assignment
3- Download the data inside the virtual machine
4- The file is password protected
a. Password: malware
b.
5- Be careful of specifying path information when accessing the input file
6- Submitting after the deadline will result in %10 points off for each additional day up to %30/
a. After that the assignment may not be accepted and ZERO grade is given.
