Skip to content

Examine Physical MemoryAs with memory acquisition, there are

Do you have a similar question? Our professional writers have done a similar paper in past. Give Us your instructions and wait for a professional assignment!        

Examine Physical MemoryAs with memory acquisition, there are numerous tools that can help the digital forensic investigator view or analyze memory data. Volatility (Links to an external site.), for example, is a very powerful and popular open-source command line-based memory analysis tool, but many GUI-based forensic suites can also be used to view or parse memory images.Use FTK Imager to look at either of the memory images you just created.From FTK Imager’s “File” drop-down menu, choose “Add Evidence Item…”Choose “Image File”, click “Next”, point the tool toward either of the newly-created ftk-memory.img or mrc-memory.raw files, and click “Finish” to load it.Notice that it has no discernable file structure to speak of. To your eyes, much of it most likely just looks like unstructured computer data.However, as you move the slider up and down in the bottom pane of FTK Imager, you can view the raw data dumped from physical memory in both its hexadecimal and ASCII formats. While much of the data is not human-readable, you should be able to find some that you can read and (maybe) even recognize.Close FTK Imager.As a contrast to “manually” reviewing memory dumps in FTK Imager, you can (and should) use a more full-featured forensic suite, such as Magnet AXIOM, which leverages Volatility, to process and analyze a memory dump.Double-click the AXIOM Process (not Examine) icon on your VDI Desktop to launch the tool.If it asks you to turn off the system’s anti-virus (which can often disrupt AXIOM’s ability to fully process and analyze data), please do so.Magnet AXIOM is actually composed of two different (but related) tools: AXIOM Process and AXIOM Examine.When AXIOM Process opens, click to create a new case.Fill in CASE DETAILS.Make up a case number and choose “Data exfiltration / IP theft” as the Case Type.Under the “LOCATION FOR CASE FILES” section, change the folder name to “Memory”, and set your Desktop directory as the “file path”.Place your name in the “Scanned by” field and click the “GO TO EVIDENCE SOURCES” button.In the EVIDENCE SOURCES area, click the following buttons (in order) to load the MagnetRAMCapture.dmp memory dump file (present on your VDI Desktop in the “DFS501” folder [C:UsersPublicDesktopDFS501], or provided by your instructor).COMPUTER ? WINDOWS ? LOAD EVIDENCE ? MEMORY ? LOAD MEMORY DUMP FILE ? Select the MagnetRAMCapture.dmp file.Select “I want AXIOM Process to provide a list of recommended image profiles” and click “Next”.AXIOM will scan through the memory dump and analyze specific locations in an attempt to provide a list of potentially valid image profiles. A compatible image profile must be selected in order to fully and correctly analyze a memory dump. Knowing what OS was running on the system from which the memory was dumped can assist you in profile selection.In this case, select “Win7SP1x64” for the Image profile, click “Next”, and then “GO TO PROCESSING DETAILS”.For this exercise, skip the PROCESSING DETAILS area and go right to the ARTIFACT DETAILS area by clicking the “Computer artifacts” item on the left side of the interface.Click “CLEAR ALL” to uncheck the various artifacts, but then highlight and re-check the entire “MEMORY” artifacts category.Look at the different memory-related artifacts that AXIOM will try to parse from the dump for you.Click “GO TO ANALYZE EVIDENCE”.Click “ANALYZE EVIDENCE” to start AXIOM processing the selected memory dump.AXIOM Process will display more detail about its progress, and AXIOM Examine will automatically open to facilitate the analysis of results.In the bottom left corner of the AXIOM Examiner interface, you will likewise see the progress of AXIOM’s processing. If you click the “LOAD NEW RESULTS” link in that progress bar at any time during the processing, you can begin interacting with the results.Approximately fifteen minutes after processing begins, even if it has not completely finished, click “LOAD NEW RESULTS” in AXIOM Examine and begin your examination.You can see your results by using the view dropdown menu (which currently shows “CASE DASHBOARD”) to select ARTIFACTS view.In the Artifacts Pane, on the left side of the interface, use the arrow to expand the “MEMORY” artifact category and view the various artifacts that AXIOM was able to parse from the memory dump.Clicking on an artifact type in the Artifacts Pane will allow you to see data about and interact with specific artifacts in the Evidence Pane (at the center of the interface).In turn, clicking on a specific artifact in the Evidence Pane will allow you to see more detailed information about that artifact in the Details Pane on the right side of the interface.Notice that AXIOM was able to parse artifacts for things like “Network Info (netscan)” (similar to when you ran the Windows netstat command) and “Open Handles (handles)” (similar to when you ran handles.exe from the Sysinternals tool suite).Take your time and examine the parsed artifacts in AXIOM Examine.If this memory dump were from a computer assigned to Mr. Informant (the suspect in this data theft investigation), do you see any artifacts that you would consider notable in the context of your investigation??omplete Your AssignmentOnce you have all the necessary information recorded in your notes/screenshots (on your personal student system – not inside the VDI) to complete your Lab deliverable, please shut down your VDI machine to free up resources for other students.DELIVERABLE: Your boss is counting on you to complete your slide presentation containing the information you think is important to share with your team regarding considerations when collecting and/or analyzing data from a live system, as well as demonstrating your use of all the tools/techniques stepped through above. Save (or print) the presentation to a .PDF file, and submit that .PDF as your deliverable for this assignment.Complete your deliverable for your boss, save it as (or print it to) .PDF format, and turn it via your assignment submission linkImage transcription text25.18 The following is an initial value,second-order differential equation: d’ xdx d+2 + (5x)- + (x + 7) si… Show more… Show moreImage transcription textDevelop a Matlab code based onclassic 4th-order RK method to solvethe following initial value, s… Show more… Show moreImage transcription text> > f (2) The decomposition of 2 into primefactors reads: 2 = 2 > > f (3) The decompositionof 3 into prime factors reads: 3 = 3 >&… Show more… Show moreImage transcription text1. Factorize the matrix A below into LUdecomposition with li = 1 for all i. 2.121-3.46 O 5.217 0 5.193 -2.1… Show more… Show moreEngineering & TechnologyComputer ScienceCOMPUTER 100-007

Get a plagiarism-free order today   we guarantee confidentiality and a professional paper and we will meet the deadline.    

Leave a Reply

Order a plagiarism free paper today. Get 20% off your first order!

X