Computer Forensics Report - FRS301 - FPT University
•Download as DOCX, PDF•
0 likes•180 views
The computer forensics report summarizes the investigation of a suspected machine's hard drive (HDD) and random access memory (RAM). Two deleted files were recovered from the HDD, which appeared to be course files. The operating system detected from analyzing the RAM was determined to be either Windows 7 or Windows Server 2008. Various running processes and network connections were extracted, including evidence of iexplore and notepad instances.
Recommended
More Related Content
Similar to Computer Forensics Report - FRS301 - FPT University
Similar to Computer Forensics Report - FRS301 - FPT University (20)
More from Duc Lai Trung Minh
More from Duc Lai Trung Minh (20)
Recently uploaded
Recently uploaded (20)
Computer Forensics Report - FRS301 - FPT University
- 1. Computer Forensics Report Team IA1161 Evidence Collector: Hoang Dinh Tuan Investigator: Dao Nguyen Van Thanh, Lai Trung Minh Duc Reporter: Lai Trung Minh Duc, Tran Long Nhat Phuong 01/02/18
- 2. Investigator Information The following report was conducted by Team IA1161 in the following process: - Tuan is the evidence collector who received captured images from Team IA1064 and presented to our investigator to deliver facts that would seem relevant to the case. The evidence is verified to be unaltered. - Thanh is our main investigator who is responsible for taking the evidence and doing necessary tasks to pursue the investigation. His investigation process will be given details in the third section of this report. - Duc and Phuong are in charge of writing this report based on the results from Thanh. Case Description In this project, we are given two image files capturing a suspected machine from Team IA1164: - Disk.001 – HDD captured image - Memdump.mem – RAM capturedimage We suspected that this machine might be attacked by Metasploit’s Payload for unauthorizedaccess. We also tried to restore any deleted files for further relevantdeduction. Computer and Forensic Tool Statistics The two files were collected at 01/02/18 8:27:03 AM when Tuan received them from Team IA1164. Team IA1161 then started given responsibilities to each member, once we settled and understood our missions, we began the research andtesting. The files were tested usingVolatilityprovided by a Kali machine and FTK Imager on Windows 7. These programs have been proven
- 3. by Mr. Nguyen Sieu Dang to provide valid and accurate results when scanningand analyzinga system.
- 4. Investigation: 1. Check hash of file to ensure the file haven’t been altered. 2. Investigate HDD to explore any deleted file As we can see, inside the investigatedHDD, we have several files. The noticeable point here are two deleted file. - 8498069.pdf was modified at 1/21/2018 10:06:57 AM - VTP-Challenge VTP Configuration (1).pka was modified at 1/17/2017 11:29:32 AM Restoring 2 files, what we have here is:
- 5. 8498069.pdf is the tutorial of lab in CCNA VTP-Challenge VTP Configuration (1).pka is the lab file of CCNA Conclusion: After researchedthe HDD, we don’t find any remarkable point that relevantto our suspect. 3. Investigate RAM. By using the command [volatility -f memdump.mem imageinfo], we think that the OperatingSystem of the suspected machine might be: Windows 7 or Windows Server 2008.
- 6. Here is some of our tables for Processes list and Network list: Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa80024b6740 System 4 0 88 555 ------ 0 2018-01-31 03:48:10 UTC+0000 0xfffffa8002fd8b30 smss.exe 244 4 2 29 ------ 0 2018-01-31 03:48:10 UTC+0000 0xfffffa800371cb30 csrss.exe 336 328 9 478 0 0 2018-01-31 03:48:21 UTC+0000 0xfffffa800373ab30 csrss.exe 388 380 10 296 1 0 2018-01-31 03:48:22 UTC+0000 0xfffffa8003742b30 wininit.exe 396 328 3 76 0 0 2018-01-31 03:48:22 UTC+0000 0xfffffa8003751b30 winlogon.exe 432 380 3 108 1 0 2018-01-31 03:48:22 UTC+0000 0xfffffa80037bb910 services.exe 492 396 7 215 0 0 2018-01-31 03:48:25 UTC+0000 0xfffffa80037cf910 lsass.exe 500 396 6 586 0 0 2018-01-31 03:48:26 UTC+0000 0xfffffa80037d5b30 lsm.exe 508 396 10 141 0 0 2018-01-31 03:48:26 UTC+0000 0xfffffa8003b1c470 svchost.exe 604 492 9 352 0 0 2018-01-31 03:48:30 UTC+0000 0xfffffa8003b3f060 vmacthlp.exe 664 492 3 54 0 0 2018-01-31 03:48:31 UTC+0000 0xfffffa8003b544a0 svchost.exe 708 492 8 274 0 0 2018-01-31 03:48:32 UTC+0000 0xfffffa8003b89630 svchost.exe 796 492 18 481 0 0 2018-01-31 03:48:33 UTC+0000 0xfffffa8003b9d060 svchost.exe 832 492 17 408 0 0 2018-01-31 03:48:34 UTC+0000 0xfffffa8003ba4780 svchost.exe 856 492 39 1040 0 0 2018-01-31 03:48:34 UTC+0000 0xfffffa8003bf6420 svchost.exe 1004 492 10 518 0 0 2018-01-31 03:48:36 UTC+0000 0xfffffa8003c3b630 svchost.exe 292 492 14 371 0 0 2018-01-31 03:48:38 UTC+0000 0xfffffa80036ff060 spoolsv.exe 1112 492 12 323 0 0 2018-01-31 03:48:40 UTC+0000 0xfffffa800370b060 svchost.exe 1148 492 17 308 0 0 2018-01-31 03:48:41 UTC+0000 0xfffffa80036aa060 svchost.exe 1300 492 16 243 0 0 2018-01-31 03:48:43 UTC+0000 0xfffffa800383e360 VGAuthService. 1420 492 3 88 0 0 2018-01-31 03:48:45 UTC+0000 0xfffffa80027a0b30 vmtoolsd.exe 1520 492 9 291 0 0 2018-01-31 03:48:49 UTC+0000 0xfffffa8002e83190 ManagementAgen 1548 492 10 92 0 0 2018-01-31 03:48:50 UTC+0000 0xfffffa8003d18b30 svchost.exe 1784 492 6 93 0 0 2018-01-31 03:48:53 UTC+0000 0xfffffa8003d84b30 svchost.exe 1812 492 5 101 0 0 2018-01-31 03:48:53 UTC+0000 0xfffffa8003806060 TPAutoConnSvc. 1996 492 9 131 0 0 2018-01-31 03:48:55 UTC+0000 0xfffffa8003e7bb30 WmiPrvSE.exe 1064 604 10 202 0 0 2018-01-31 03:48:58 UTC+0000
- 7. 0xfffffa8003eae310 dllhost.exe 1488 492 13 189 0 0 2018-01-31 03:48:59 UTC+0000 0xfffffa800274db30 msdtc.exe 1192 492 12 144 0 0 2018-01-31 03:49:01 UTC+0000 0xfffffa80028a15b0 taskhost.exe 2276 492 8 156 1 0 2018-01-31 03:49:17 UTC+0000 0xfffffa80028d5060 dwm.exe 2340 832 5 124 1 0 2018-01-31 03:49:17 UTC+0000 0xfffffa8003f83b30 explorer.exe 2384 2316 32 839 1 0 2018-01-31 03:49:18 UTC+0000 0xfffffa8003f80b30 TPAutoConnect. 2392 1996 3 114 1 0 2018-01-31 03:49:18 UTC+0000 0xfffffa8003f885c0 conhost.exe 2412 388 1 34 1 0 2018-01-31 03:49:18 UTC+0000 0xfffffa800404b1c0 vmtoolsd.exe 2624 2384 5 205 1 0 2018-01-31 03:49:24 UTC+0000 0xfffffa8004732b30 SearchIndexer. 2780 492 13 720 0 0 2018-01-31 03:49:31 UTC+0000 0xfffffa80047971f0 wmpnetwk.exe 2880 492 9 211 0 0 2018-01-31 03:49:33 UTC+0000 0xfffffa800257fb30 svchost.exe 1736 492 14 383 0 0 2018-01-31 03:50:53 UTC+0000 0xfffffa8003b055c0 iexplore.exe 2576 2772 0 -------- 1 0 2018-01-31 03:54:14 UTC+0000 2018-01-31 03:54:33 UTC+0000 0xfffffa8003e35b30 notepad.exe 2664 2576 6 173 1 1 2018-01-31 03:54:30 UTC+0000 0xfffffa8003dc5220 iexplore.exe 2572 2772 0 -------- 1 0 2018-01-31 03:54:33 UTC+0000 2018-01-31 03:54:43 UTC+0000 0xfffffa8003f60060 notepad.exe 1160 2572 4 149 1 1 2018-01-31 03:54:40 UTC+0000 0xfffffa8003af5060 cmd.exe 2840 2664 1 37 1 1 2018-01-31 03:55:05 UTC+0000 0xfffffa8003f4e060 conhost.exe 1476 388 2 50 1 0 2018-01-31 03:55:05 UTC+0000 0xfffffa8003bfc060 notepad.exe 2296 2664 5 94 1 1 2018-01-31 03:55:16 UTC+0000 0xfffffa8003cec3a0 audiodg.exe 2124 796 5 122 0 0 2018-01-31 04:17:59 UTC+0000 0xfffffa800255f460 dd.exe 2524 2840 1 44 1 1 2018-01-31 04:19:14 UTC+0000 0xfffffa8003d27920 FTK Imager.exe 3000 2384 15 357 1 0 2018-01-31 04:19:55 UTC+0000 This Processes list is generatedwith the command: [volatility -f memdump.mem pslist] in Kali Linux Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x7e470cf0 TCPv4 -:0 136.71.186.3:0 CLOSED 292 svchost.exe 0x7e651010 TCPv4 -:49173 104.16.91.188:80 CLOSED 292 svchost.exe 0x7e9fdcf0 TCPv4 -:49174 192.228.79.201:80 CLOSED 292 svchost.exe 0x7e6837d0 TCPv4 -:49175 192.168.198.254:80 CLOSED 292 svchost.exe 0x7e9697d0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 708 svchost.exe 0x7e96a880 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 708 svchost.exe 0x7e7642d0 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System 0x7e96a110 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 396 wininit.exe 0x7e96aef0 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 396 wininit.exe 0x7e9b3550 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 796 svchost.exe 0x7e9b4ef0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 796 svchost.exe 0x7ec98530 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 500 lsass.exe 0x7ecc24f0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 500 lsass.exe 0x7eca3520 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 856 svchost.exe 0x7eca42e0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 856 svchost.exe 0x7e75f420 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 492 services.exe
- 8. 0x7e760240 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 492 services.exe 0x7e7d39e0 TCPv4 0.0.0.0:49157 0.0.0.0:0 LISTENING 1812 svchost.exe 0x7e7dc010 TCPv4 0.0.0.0:49157 0.0.0.0:0 LISTENING 1812 svchost.exe 0x7ea334a0 TCPv4 0.0.0.0:5357 0.0.0.0:0 LISTENING 4 System 0x7e48b1f0 TCPv4 127.0.0.1:15465 127.0.0.1:49176 ESTABLISHED 2296 notepad.exe 0x7e61d6a0 TCPv4 127.0.0.1:49176 127.0.0.1:15465 ESTABLISHED 2664 notepad.exe 0x7ea0f920 TCPv4 192.168.198.137:139 0.0.0.0:0 LISTENING 4 System 0x7e7e5cf0 TCPv4 192.168.198.137:49169 192.168.198.128:16480 ESTABLISHED 2576 iexplore.exe 0x7e6ac010 TCPv4 192.168.198.137:49172 192.168.198.128:16480 ESTABLISHED 2572 iexplore.exe 0x7e96a880 TCPv6 :::135 :::0 LISTENING 708 svchost.exe 0x7e7642d0 TCPv6 :::445 :::0 LISTENING 4 System 0x7e96a110 TCPv6 :::49152 :::0 LISTENING 396 wininit.exe 0x7e9b3550 TCPv6 :::49153 :::0 LISTENING 796 svchost.exe 0x7ecc24f0 TCPv6 :::49154 :::0 LISTENING 500 lsass.exe 0x7eca3520 TCPv6 :::49155 :::0 LISTENING 856 svchost.exe 0x7e760240 TCPv6 :::49156 :::0 LISTENING 492 services.exe 0x7e7dc010 TCPv6 :::49157 :::0 LISTENING 1812 svchost.exe 0x7ea334a0 TCPv6 :::5357 :::0 LISTENING 4 System 0x7e6833a0 TCPv6 -:445 ff02::16:49177 CLOSED 4 System 0x7e8fc760 TCPv6 -:49177 ff02::16:445 CLOSED 4 System 0x7e7dab50 UDPv4 0.0.0.0:0 *:* 1812 svchost.exe 2018-01-31 03:48:53 UTC+0000 0x7e7dc260 UDPv4 0.0.0.0:0 *:* 1812 svchost.exe 2018-01-31 03:48:53 UTC+0000 0x7ec9a6d0 UDPv4 0.0.0.0:0 *:* 292 svchost.exe 2018-01-31 03:48:39 UTC+0000 0x7ed34520 UDPv4 0.0.0.0:0 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000 0x7ed41520 UDPv4 0.0.0.0:0 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000 0x7e46a910 UDPv4 0.0.0.0:3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000 0x7e47d3f0 UDPv4 0.0.0.0:3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000 0x7ededb20 UDPv4 0.0.0.0:3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000 0x7edfac80 UDPv4 0.0.0.0:3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000 0x7ea44160 UDPv4 0.0.0.0:4500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000 0x7ed42010 UDPv4 0.0.0.0:4500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000 0x7ea54530 UDPv4 0.0.0.0:500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000 0x7ed421e0 UDPv4 0.0.0.0:500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000 0x7ec77370 UDPv4 0.0.0.0:5355 *:* 292 svchost.exe 2018-01-31 04:18:39 UTC+0000 0x7edd1580 UDPv4 0.0.0.0:5355 *:* 292 svchost.exe 2018-01-31 04:18:39 UTC+0000 0x7e9487b0 UDPv4 0.0.0.0:64447 *:* 1300 svchost.exe 2018-01-31 03:48:46 UTC+0000 0x7e6b1840 UDPv4 0.0.0.0:64448 *:* 1300 svchost.exe 2018-01-31 03:48:46 UTC+0000 0x7dae3290 UDPv4 127.0.0.1:1900 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000 0x7dadc9a0 UDPv4 127.0.0.1:53599 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000 0x7ede19b0 UDPv4 192.168.198.137:137 *:* 4 System 2018-01-31 03:48:39 UTC+0000 0x7eddf9b0 UDPv4 192.168.198.137:138 *:* 4 System 2018-01-31 03:48:39 UTC+0000
- 9. 0x7dae3950 UDPv4 192.168.198.137:1900 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000 0x7daddec0 UDPv4 192.168.198.137:53598 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000 0x7e7dc260 UDPv6 :::0 *:* 1812 svchost.exe 2018-01-31 03:48:53 UTC+0000 0x7ec9a6d0 UDPv6 :::0 *:* 292 svchost.exe 2018-01-31 03:48:39 UTC+0000 0x7ed34520 UDPv6 :::0 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000 0x7e46a910 UDPv6 :::3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000 0x7e47d3f0 UDPv6 :::3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000 0x7ed42010 UDPv6 :::4500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000 0x7ea54530 UDPv6 :::500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000 0x7edd1580 UDPv6 :::5355 *:* 292 svchost.exe 2018-01-31 04:18:39 UTC+0000 0x7e6b1840 UDPv6 :::64448 *:* 1300 svchost.exe 2018-01-31 03:48:46 UTC+0000 0x7dae3010 UDPv6 ::1:1900 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000 0x7dadeec0 UDPv6 ::1:53597 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000 0x7dae1bb0 UDPv6 fe80::a9f7:b885:9ff3:ea5e:1900 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000 0x7dadf760 UDPv6 fe80::a9f7:b885:9ff3:ea5e:53596 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000 0x7f5a5350 UDPv6 fe80::a9f7:b885:9ff3:ea5e:546 *:* 796 svchost.exe 2018-01-31 04:17:06 UTC+0000 This Processes list is generatedwith the command: [volatility -f memdump.mem netscan] in Kali Linux Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa8003f83b30:explorer.exe 2384 2316 32 839 2018-01-31 03:49:18UTC+0000 . 0xfffffa800404b1c0:vmtoolsd.exe 2624 2384 5 205 2018-01-31 03:49:24UTC+0000 . 0xfffffa8003d27920:FTKImager.exe 3000 2384 15 357 2018-01-31 04:19:55UTC+0000 0xfffffa800373ab30:csrss.exe 388 380 10 296 2018-01-31 03:48:22UTC+0000 . 0xfffffa8003f4e060:conhost.exe 1476 388 2 50 2018-01-31 03:55:05UTC+0000 . 0xfffffa8003f885c0:conhost.exe 2412 388 1 34 2018-01-31 03:49:18UTC+0000 0xfffffa8003751b30:winlogon.exe 432 380 3 108 2018-01-31 03:48:22UTC+0000 0xfffffa8003b055c0:iexplore.exe 2576 2772 0 ------ 2018-01-31 03:54:14UTC+0000 . 0xfffffa8003e35b30:notepad.exe 2664 2576 6 173 2018-01-31 03:54:30UTC+0000 .. 0xfffffa8003af5060:cmd.exe 2840 2664 1 37 2018-01-31 03:55:05UTC+0000 ... 0xfffffa800255f460:dd.exe 2524 2840 1 44 2018-01-31 04:19:14UTC+0000 .. 0xfffffa8003bfc060:notepad.exe 2296 2664 5 94 2018-01-31 03:55:16UTC+0000 0xfffffa8003dc5220:iexplore.exe 2572 2772 0 ------ 2018-01-31 03:54:33UTC+0000 . 0xfffffa8003f60060:notepad.exe 1160 2572 4 149 2018-01-31 03:54:40UTC+0000 0xfffffa8003742b30:wininit.exe 396 328 3 76 2018-01-31 03:48:22UTC+0000 . 0xfffffa80037bb910:services.exe 492 396 7 215 2018-01-31 03:48:25UTC+0000 .. 0xfffffa80036ff060:spoolsv.exe 1112 492 12 323 2018-01-31 03:48:40UTC+0000 .. 0xfffffa80036aa060:svchost.exe 1300 492 16 243 2018-01-31 03:48:43UTC+0000 .. 0xfffffa8003b3f060:vmacthlp.exe 664 492 3 54 2018-01-31 03:48:31UTC+0000 .. 0xfffffa8003b89630:svchost.exe 796 492 18 481 2018-01-31 03:48:33UTC+0000
- 10. ... 0xfffffa8003cec3a0:audiodg.exe 2124 796 5 122 2018-01-31 04:17:59UTC+0000 .. 0xfffffa8002e83190:ManagementAgen 1548 492 10 92 2018-01-31 03:48:50UTC+0000 .. 0xfffffa8003c3b630:svchost.exe 292 492 14 371 2018-01-31 03:48:38UTC+0000 .. 0xfffffa8004732b30:SearchIndexer. 2780 492 13 720 2018-01-31 03:49:31UTC+0000 .. 0xfffffa8003b9d060:svchost.exe 832 492 17 408 2018-01-31 03:48:34UTC+0000 ... 0xfffffa80028d5060:dwm.exe 2340 832 5 124 2018-01-31 03:49:17UTC+0000 .. 0xfffffa8003b544a0:svchost.exe 708 492 8 274 2018-01-31 03:48:32UTC+0000 .. 0xfffffa800257fb30:svchost.exe 1736 492 14 383 2018-01-31 03:50:53UTC+0000 .. 0xfffffa800383e360:VGAuthService. 1420 492 3 88 2018-01-31 03:48:45UTC+0000 .. 0xfffffa8003806060:TPAutoConnSvc. 1996 492 9 131 2018-01-31 03:48:55UTC+0000 ... 0xfffffa8003f80b30:TPAutoConnect. 2392 1996 3 114 2018-01-31 03:49:18UTC+0000 .. 0xfffffa8003ba4780:svchost.exe 856 492 39 1040 2018-01-31 03:48:34UTC+0000 .. 0xfffffa8003b1c470:svchost.exe 604 492 9 352 2018-01-31 03:48:30UTC+0000 ... 0xfffffa8003e7bb30:WmiPrvSE.exe 1064 604 10 202 2018-01-31 03:48:58UTC+0000 .. 0xfffffa8003eae310:dllhost.exe 1488 492 13 189 2018-01-31 03:48:59UTC+0000 .. 0xfffffa80047971f0:wmpnetwk.exe 2880 492 9 211 2018-01-31 03:49:33UTC+0000 .. 0xfffffa80028a15b0:taskhost.exe 2276 492 8 156 2018-01-31 03:49:17UTC+0000 .. 0xfffffa8003bf6420:svchost.exe 1004 492 10 518 2018-01-31 03:48:36UTC+0000 .. 0xfffffa80027a0b30:vmtoolsd.exe 1520 492 9 291 2018-01-31 03:48:49UTC+0000 .. 0xfffffa800274db30:msdtc.exe 1192 492 12 144 2018-01-31 03:49:01UTC+0000 .. 0xfffffa8003d18b30:svchost.exe 1784 492 6 93 2018-01-31 03:48:53UTC+0000 .. 0xfffffa8003d84b30:svchost.exe 1812 492 5 101 2018-01-31 03:48:53UTC+0000 .. 0xfffffa800370b060:svchost.exe 1148 492 17 308 2018-01-31 03:48:41UTC+0000 . 0xfffffa80037d5b30:lsm.exe 508 396 10 141 2018-01-31 03:48:26UTC+0000 . 0xfffffa80037cf910:lsass.exe 500 396 6 586 2018-01-31 03:48:26UTC+0000 0xfffffa800371cb30:csrss.exe 336 328 9 478 2018-01-31 03:48:21UTC+0000 0xfffffa80024b6740:System 4 0 88 555 2018-01-31 03:48:10UTC+0000 . 0xfffffa8002fd8b30:smss.exe 244 4 2 29 2018-01-31 03:48:10UTC+0000 This Processes Tree list is generatedwith the command: [volatility -f memdump.mem pstree] in Kali Linux. After collectingthose lists, we use Excel 2016 for analyzing, sorting, finding the data. Looking at the Processes list, we see some noticeable process: - 3 processes of notepad.exe - 2 processes of iexplorer.exe o And only two of them has exited time. - 1 process of cmd.exe
- 11. - 1 process of FTK Imager.exe - Many of system processes (svhosts.exe) Looking at the Network list, we also see some noticeable connections too: - Most of the connection were made by the system with the source IP: 0.0.0.0 and the destination IP also 0.0.0.0. They are also in the status of LISTENING - There are 4 weirdconnections because their status is ESTABLISHED. Offset(P) Proto Local Address Foreign Address State Pid Owner 0x7e48b1f0 TCPv4 127.0.0.1:15465 127.0.0.1:49176 ESTABLISHED 2296 notepad.exe 0x7e61d6a0 TCPv4 127.0.0.1:49176 127.0.0.1:15465 ESTABLISHED 2664 notepad.exe 0x7e7e5cf0 TCPv4 192.168.198.137:49169 192.168.198.128:16480 ESTABLISHED 2576 iexplore.exe 0x7e6ac010 TCPv4 192.168.198.137:49172 192.168.198.128:16480 ESTABLISHED 2572 iexplore.exe We get into 2 questions: - Why does notepad.exe need to established the connection to loopback address, and two processes seem communicate to each other? - Why does iexplorer.exe connectto the weirdURL with weird port like that (16480)? Normally, people should access to the website via port 80/443. Looking at the Process tree, we see: 0xfffffa8003b055c0:iexplore.exe 2576 2772 0 ------ 2018-01-31 03:54:14UTC+0000 . 0xfffffa8003e35b30:notepad.exe 2664 2576 6 173 2018-01-31 03:54:30UTC+0000 .. 0xfffffa8003af5060:cmd.exe 2840 2664 1 37 2018-01-31 03:55:05UTC+0000 ... 0xfffffa800255f460:dd.exe 2524 2840 1 44 2018-01-31 04:19:14UTC+0000 .. 0xfffffa8003bfc060:notepad.exe 2296 2664 5 94 2018-01-31 03:55:16UTC+0000 0xfffffa8003dc5220:iexplore.exe 2572 2772 0 ------ 2018-01-31 03:54:33UTC+0000 . 0xfffffa8003f60060:notepad.exe 1160 2572 4 149 2018-01-31 03:54:40UTC+0000 - IExplore.exe has many child processes like notepad.exe, cmd.exe and dd.exe. This is truly weird. Conclusion:
- 12. From the analysis above, we think that this computer was unauthorized access because of the security problem of InternetExplorer on Windows 7. The attacker might use: - MS11_003_ie_css_importexploit - … We also think that they might use the cmd.exe for their exploringcommand line, and the dd.exe for capturingin the computer.