The deliverable for this assignment requires you to forensically analyse two ‘unique’ raw memory dumps from a Windows and Linux/Mac operating system. As a component of your analysis, you are expected to extract, identify and present at a minimum: the operating system; different forms of web based activity; passwords/encryption keys; and running programs/processes. You will be creating your own baseline memory images for the investigation, and as a result you should plan for and consider the environment in which you will be operating within. The following simple steps are designed to get you thinking about the approach you should utilise in this assignment:
- Prepare a fresh installation of your chosen operating system;
- Ensure the necessary programs (e.g Firefox, TrueCrypt etc.) are installed;
- Execute and utilise your selected software;
- Visit the different websites you have selected; and
- Create a forensic dump of the computer’s memory.
You will need to identify the strengths, limitations and memory footprint of the memory forensic tools you have utilised. You may do so in either a table format, dot points, or written paragraphs. You may also like to assess the impact that a ‘restart/reboot’ has on the data in memory. You may elect to present your investigation as a Microsoft Word document. You are required to demonstrate in a procedural manner, the steps you took, to create your baseline images, right through to extracting and validating the data of interest. Your target audience are a novice set of end-users and thus you should communicate each step of the process carefully with sufficient explanation of what you did and why, to avoid any confusion.
- It is expected that you will need to undertake sufficient research of the subject matter before you begin your investigation.
- The structure of your Word document is entirely up to you.
- You are not required to demonstrate or adhere to ideal forensic practices (think about it).
- You are encouraged to include and make use of numerous screenshots.
- There are many open source and commercial tools available for this assignment.
- You may use any information source as a reference (journal article, blog, etc.).
Steps for analysis of Windows memory dump
- install windows XP on a VMware with 1GB RAM
install truecrypt and FTK imager on the VM
open internet explorer – browse some sites
go to command promt and use it to ping some sites
install true crypt, create a containier, save some file to the containe n close
open a notepad write some text and then close it without saving it
open a card game – play for a while
- use ftk imager to get the memory dump
may b hash the image
may be run bulk extractor on the image
We Can Also Assist You With Similar Orders At Highly Discounted Rates!!!