Cyber Range Lab Assignment Report 12

.docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

500-C

Subject

Industrial Engineering

Date

Jan 9, 2024

Type

docx

Pages

9

Uploaded by ericbraxton8

Report
IST 894 Capstone Experience Cyber Range Lab Assignment Report 12 Page 1 of 9
Table of Contents 1.0 Introduction ........................................................................................................................................ 3 2.0 General Context .................................................................................................................................. 3 3.0 Technical Context ............................................................................................................................... 4 4.0 Solution .............................................................................................................................................. 5 5.0 Activity Log ......................................................................................................................................... 9 6.0 References .......................................................................................................................................... 9 Page 2 of 9
1.0 Introduction In this lab, I will utilize the “Introduction to Forensics” environment within the U.S. Cyber Range. This lab exercise will provide hands on experience with system memory dumps that can be relevant to forensic investigations and will become familiar with the tools and techniques for analyzing memory images. 2.0 General Context In this lab exercise, I utilized the U.S. Cyber Range, which provides an environment for educators, industry, and others to allow for hands-on cybersecurity training and education to increase the number of skilled cybersecurity experts across all sectors ( U.S. Cyber Range , 2020). Inside the lab environment, I used a VM running the SANS SIFT Linux distribution to analyze memory images from a Windows Vista workstation. Once I was successfully logged into the virtual environment, I was set to examine the provided memory image. First, I changed directories to the location of the image file. I utilized a tool called Volatility, which is an open-source software for analyzing RAM in 32 and 64-bit systems. It supports Linux, Windows, Mac, and Android systems – and its Python based. Volatility is best used for analyzing raw dumps, crash dumps, VMware dumps, etc. ( Digital Forensics , 2018). To utilize Volatility, you must first set a profile to let the application know what operating system the dump came from, which was Windows Vista in this scenario. I first started with the application by browsing through the help menu to get a better understanding of the capabilities of the applications and the syntax to run the program. Once I was comfortable with the syntax, I was ready to take a deeper dive in the application and start analyzing the Windows Vista dump. The first command I issued was to let me know the operating system and service pack of the dump. I then ran a command to view the processes that were running at the time of the dump. I was also able to view processes that were previously hidden or terminated because of malware. Volatility is a powerful tool if used accurately in a forensics investigation. I also ran several commands that let me know the users that were on the Windows Vista workstation, the Page 3 of 9
service pack installed, the process that is listening on a specific port, which users executed a malicious application, where that application originated from, down to the password hashes of the individual users. 3.0 Technical Context For this lab, I utilized the U.S. Cyber Range to get hands-on training, which provides an environment for educators, industry, and others to allow for hands-on cybersecurity training and education to increase the number of skilled cybersecurity experts across all sectors ( U.S. Cyber Range , 2020). Inside the lab environment, I used a virtual machine running the SANS SIFT Linux distribution to analyze memory images from a Windows Vista workstation. Once I was successfully logged into the virtual environment, I was set to examine the provided memory image. Once I was in the appropriate directory, I utilized Volatility, which is an open-source software for analyzing RAM in 32 and 64-bit systems. It supports Linux, Windows, Mac, and Android systems – and its Python based. Volatility is best used for analyzing raw dumps, crash dumps, VMware dumps, etc. ( Digital Forensics , 2018). To utilize Volatility properly, you must first create a profile to let it know which operating system the dump came from, which was Windows Vista in this lab. The CLI offers a -h option that allows me to view all of the options for running vol.py (Volatility), which was very beneficial to learn the syntax and the various commands to run and when to use them. Analyzing physical memory dumps helps find bugs, viruses, and can be useful for improving system performance and collecting evidence of cyber crimes, all of which were performed throughout this lab ( Apriorit , 2020). Once I felt comfortable with the syntax after browsing the help menu, I started to analyze the Windows Vista dump. The first command I issued ended with imageinfo, which provides the operating system and service pack. Next, I executed the command pslist, which lets you know what processes were actively running at the time of the dump. This was interesting because it sorts the processes by date, with the most recent processes listed at the top. Next, I ran psscan, which also looks at the running processes, but this command shows the hidden or terminated processes that were ended by malware, namely rootkits. Volatility also offers a wide array of other tools to assist with a forensics investigation. Page 4 of 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help