05: Memory Forensics

In this assignment, you’ll examine a memory image for a rogue process, and try to learn some details about what that process was up to. In other words, you’ll work through some uses cases of Volatility to get hands-on experience with memory forensics!

Preparation

Volatility is a Python program, so you can probably run it in any Python2 environment you have accessible. But it does optionally use a few third-party Python modules, so it might be wise to have the ability to install such modules in your environment.

You’ll need to make sure you have a recent version of Python2 installed, and you’ll need to know how to invoke it at the commmand line. (For me, this is python-2.7 but it may vary for you.) You might also want to look into how to install third-party Python modules, but this will depend very much on your local package manager. (You might use port if you’re using MacPorts, or apt-get, or brew, or conda, or pip-installyou get the idea.)

You’ll need to clone the current master branch of Volatility and work from there – the last “all-in-one” bundle they distribute does not understand Linux kernel headers on kernels past version 4.9 or so. You can test to see if it’s working by typing python2.7 vol.py -h or the like. This will show the version of Volatility you’re running, list any Python modules it could not import (and that you might consider installing, but it may not be necessary), and show you the list of available commands. Note: The specific checkout I used was 63f31e7359b52e133eda11dcf87591d802c934c9. You can switch your working tree to this checkout via git checkout 63f31e or the like.

Next, you’ll need to create or install a profile that matches the kernel in the memory image. The memory image was created on an un-updated Ubuntu 18.04.2 Server installation. The easiest way to create the appropriate profile is to download the one I created and used in class. But if you want the full yak-shaving experience, follow the directions, which is easiest inside of a matching environment (like your own Ubuntu 18.04.2 Server VM). Either way, put the .zip file into volatility/plugins/overlays/linux inside your checkout of Volatility’s source.

Finally, you’ll probably want a copy of the Python strings extractor I used in class. You can get it here: python_strings.py; put it into the volatility/plugins/ directory inside your checkout of Volatility’s source.

Scenario

Someone is running a Python process on this server and accessing COMPSCI 186’s solutions web pages!

What to do

Examine a memory image (note: compressed with lzip, you’ll need to decompress it) from the server, and figure out what’s going on! In particular, use Volatility to answer the following.

  • Find any/all running Python processes, and determine their PIDs.
  • Which one(s), if any, are accessing the pages?
  • What URL(s) did they visit?
  • (optional, 25 point bonus) What was the authentication username/password?

This assignment is worth 100 points, with a possible bonus of 25 points as listed above.

Write a short report that includes any Volatility commands (and excerpted output) you needed. Also include the source of any programs or scripts you wrote. Finally, include your answers to the above questions. Wrap all this into a zip file and submit it using Moodle.

Your submission should be comprised of your written answers, programs, and any other required files. Putting it all into a reasonable archive format (.zip, .tar.gz) and uploading it through Moodle is how we expect you to get it to us.

Reminder: Group work is permitted (so long as you clearly indicate group members). But if you work in groups, we will generally expect a higher level of performance on the work.