UCS648: Cyber Forensics

# UCS648: Cyber Forensics ## Lab Assignment ### Arnav Barman ### 102053038 ### 3COE15 --- Topics covered during analysis: 1. Image file 1 - Image Identification - imageinfo - Processes & DLLs - pslist - pstree - psscan - cmdscan - handles - malfind - Networking - connscan - sockets - Registry - hivelist - File System - mbrparser 1. Image file 2 - Image Identification - imageinfo - Processes & DLLs - pslist - pstree - psscan - cmdscan - handles - consoles - malfind - Networking - connscan - sockets - Registry - hivelist - File System - mbrparser Reference: [Volatility Foundation's Github](https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference) --- ## Analysis 1. Image file 1 - Image Identification: To start with our analysis, we first try to understand more about our image file. - imageinfo: This plugin shows us that the machine whose memory dump we have was running on Windows XP SP2/3 profile. ![](https://hackmd.io/_uploads/SkoTES7E2.png) - Processes & DLLs: We now look into all the processes in the machine memory to search for any kind of masking or some unwanted process - pslist: ![](https://hackmd.io/_uploads/B1yzHSmVn.png) - pstree: ![](https://hackmd.io/_uploads/HyjzSSmV2.png) - psscan: ![](https://hackmd.io/_uploads/rkNzBBQVn.png) Here we do not find any kind of masqueraded process nor any process that was not required or unusual. - cmdscan: This command detects any command that was run through console shell via searching the csrss.exe memory, but uppon analysis nothing of suspicion was found. ![](https://hackmd.io/_uploads/HJsFSHmVh.png) - consoles: Here we detect any commands that were run though CMD or through any kind of backdoors but we can not find any kind of suspicion here as well! ![](https://hackmd.io/_uploads/H1x9rSQNn.png) - handles: We look for open handles in processes, where we did not find any suspicion as well. ![](https://hackmd.io/_uploads/H1ypUr7Vn.png) - malfind: We try to find if there is any injected code or hidden code in user mode. But this was in vain as well! ![](https://hackmd.io/_uploads/H1d6UBmN3.png) - Networking: Here we look at the network connection that our machine had. - connscan: This plugin helps us find the remote address, local address, ports and the processes that made those connection. On analysis we see that the machie only had access to one port and that was Port 80 and that too on remote machine so it seems safe! ![](https://hackmd.io/_uploads/HkDE_SXN3.png) - sockets: We look for any protocol ports that may be open for listening but we don't find any wrong behaviour in this segment too! ![](https://hackmd.io/_uploads/B12NOBXE2.png) - Registry - hivelist: We check for any suspicious activity in windows registry. But all activity seems fine in the registry. ![](https://hackmd.io/_uploads/SJFHdSX4n.png) - File System - mbrparser: We parse the memory and scan for any other master boot records. But we only see the original master boot record. ![](https://hackmd.io/_uploads/BJQHuBm42.png) **On the basis of the above analysis, it is safe to say that there was no trojan or malware in the machine!** --- 2. Image file 2 - Image Identification: To start with our analysis, we first try to understand more about our image file. - imageinfo: This plugin shows us that the machine whose memory dump we have was running on Windows XP SP2/3 profile. ![](https://hackmd.io/_uploads/rkABuHmEn.png) - Processes & DLLs: We now look into all the processes in the machine memory to search for any kind of masking or some unwanted process - pslist: ![](https://hackmd.io/_uploads/B1R8_HQVh.png) - pstree: ![](https://hackmd.io/_uploads/SyLLOS7E2.png) - psscan: ![](https://hackmd.io/_uploads/r1XwuSmNn.png) Here we do not find any kind of masqueraded process nor any process that was not required or unusual. - cmdscan: This command detects any command that was run through console shell via searching the csrss.exe memory, but uppon analysis nothing of suspicion was found. ![](https://hackmd.io/_uploads/BkDPdH74n.png) - handles: We look for open handles in processes, where we did not find any suspicion as well. ![](https://hackmd.io/_uploads/SkyF_HXE3.png) - consoles: Here we detect any commands that were run though CMD or through any kind of backdoors but we can not find any kind of suspicion here as well! ![](https://hackmd.io/_uploads/rJ2wOS74n.png) - malfind: We try to find if there is any injected code or hidden code in user mode. But this was in vain as well! ![](https://hackmd.io/_uploads/HJbddSXEh.png) - Networking: Here we look at the network connection that our machine had. - connscan: This plugin helps us find the remote address, local address, ports and the processes that made those connection. On analysis we see that the machie only had access to one port and that was Port 80 and that too on remote machine so it seems safe! ![](https://hackmd.io/_uploads/BkDFurXN2.png) - sockets: We look for any protocol ports that may be open for listening but we don't find any wrong behaviour in this segment too! ![](https://hackmd.io/_uploads/SknKuBQN2.png) - Registry - hivelist: We check for any suspicious activity in windows registry. But all activity seems fine in the registry. ![](https://hackmd.io/_uploads/SkrqdHQVh.png) - File System - mbrparser: We parse the memory and scan for any other master boot records. But we only see the original master boot record. ![](https://hackmd.io/_uploads/HJe5_S74n.png) **On the basis of the above analysis, it is safe to say that there was no trojan or malware in the machine!** ---