RAM and Swap Capture – Recover Volatile RAM

You will use VMware Workstation (or VMWare Fusion)for a virtual machine to recover the contents of volatile memory that is RAM and the swap file in a Windows XP VM. Your assignment file is an entire VM in a suspended state which you will add to/open with VMware Workstation. Since the content of RAM will change, you may have to repeat your procedure a few times, each try on a newly extracted version, if you’re not seeing any meaningful results.IMPORTANT – If you’re using VMware Fusion – IMPORTANT

Fusion uses containers for VMs with the extension .vmwarevm and these container files are really just renamed folders. If you’re using Fusion, to import the suspended VM, first rename the extracted VM folder to end in .vmwarevm. You should see the icon change to that of one with the Fusion symbol and should allow you to import the VM easily.

USB 3.0 devices will not work inside the XP VM. If you’re having difficulty getting the VM to recognize your drive, first make sure it’s not a 3.0 device.

Ms. Wilde has promoted you to the rank Chief Digital Evidence Examiner at Palindrome. Shortly after, a phone call from the county Sheriff’s office was transferred to you. The deputy explains that earlier, a suspected pipe bomb exploded in an aviation facility and a person was detained while attempting to flee the scene. Deputies are currently at the suspect’s house and they believe there is evidence on the suspect’s computer, which is currently powered on, that is related to the investigation; the Deputy is afraid of powering off the computer first and potentially losing some evidence.

You meet the deputy at the door along with their in house computer examiner who asks you to copy the volatile evidence so they can shut down the computer and make a forensic duplicate of the drive for analysis later. The computer is a Dell running XP and with 512MB RAM installed. Using your trusty USB thumb drive with FTK Imager installed, you make your copy to analyze and as you’re leaving, over hear the suspect yell at the deputy “I’m not lying! I’ve never heard of the Unabomber!” You’ve been tasked with finding any evidence which may cast doubt on the suspect’s statement.

 

Deliverables:

  1. A non-technical management summary that explains what you were asked to do, what you did, and your findings.
  2. A technical summary that explains the tools and procedures you used and what you recovered.
    1. Be specific about the procedures – Numbered step 1, step 2, step 3, etc.)
    2. Your results section should have the evidence you recovered, along with descriptions of the evidence.
  3. A conclusion section that explains how (if?) you were able to prove the suspect was lying.

Setup

  1. Have FTK Imager installed and ready to go on a USB (Not 3.0) flash drive. You won’t install Imager in the virtual machine; doing so would change evidence and you wouldn’t have the time before valuable volatile information was lost.
    1. Note that I said FTK Imager and NOT FTK; we will not need or be using the full version of FTK
  2. Download the compressed VM and unzip it.  Inside the extracted Windows XP RAM Capture directory is a  is a file which ends in .vmdk : If you add/open that in Workstation or just double click, this will start the VM. Don’t do that until you’re ready! The VM is in a suspended and will begin running from where it was paused meaning the contents of RAM will begin to change from that point.
  3. Download and install strings and Photorec if you’re doing the analysis in Windows otherwise you can use ‘strings’ in Linux and PhotoRec (sudo aptitude install photorec)

Procedure

Remember that as the VM is running, the content of RAM and the swap file are changing. I suggest doing this procedure more than once to get the procedure down, delete the extracted VM folder, extract a new copy, and start the process over for the assignment.

  1. Use FTK Imager to dump the RAM and the swap.
    1. Make sure the location being saved to is your flash drive and not the the virtual machine.
  2. Run strings on the RAM dump and swap file.
  3. Use a text editor to search for any evidence that may indicate the suspect is lying.
    1. Hint: Use Google before you run the search to do a little preliminary investigation on what keywords may be useful
  4. Recover any lengthy text which would be useful in proving the suspect is lying.
    1. Include a few paragraphs of the text document in your report in an appendix.
    2. Note whether you were able to recover the entire content of the document(s) by finding the original document and comparing.
    3. Taking a hash will not work in this situation; you’ll have to visually compare.
    4. Note which file the recovered text came from.
  5. Recover any graphics files in RAM and swap.
    1. Include these files, along with hashes of each file, in your report.
    2. Note the source – RAM or Swap – of where the recovered files came from
  6. Include a few examples of web searches the suspect performed.
    1. Note which search may have lead to the recovered text
  7. Use ‘www.tineye.com’ to do a reverse image search on any graphics files you found.
    1. Did you get any hits? If not, what is your best guess as to why there were no hits.
    2. Hint: How does tineye.com work and how does a carving tool carve files from an image?

 

Last Updated on March 27, 2019 by Essay Pro