Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Mahnur 003

    Hochgeladen von

    Mahnoor Arshad Qureshi
    26 Ansichten9 Seiten
    lonee

    Originaltitel

    Mahnur003

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    lonee

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    26 Ansichten9 Seiten

    Mahnur 003

    Hochgeladen von

    Mahnoor Arshad Qureshi
    lonee

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 9

    Computer Forensics Essentials

    January 31, 2024

    Live Acquisition of
    Volatile Data
    Memory Dump & Analysis

    Assignment
    Name: Mahnoor Arshad Qureshi

    Roll no: Fa-2022/BS DFCS/003

    Subject: Computer Forensics Essentials

    Submitted To: Ma’am Fatima

    Roll no: Fa-2022/BS DFCS/003 Mahnoor Arshad Qureshi Page 1


    Computer Forensics Essentials
    January 31, 2024

    Live Acquisition of Volatile Data (Memory Dump & Analysis)

    Q.1 Explain Volatile Data and provide order of volatility from most to least volatile.

    Order of Volatility

    The following is the order of Volatility:

    1. Live

    2. Running

    3. Virtual

    4. Network

    5. Physical

    Q.2 Capture the RAM of your own Live Running System using any available forensic tool
    preferably command line.

    RAM Capturing

    I utilized the DumpIt tool to acquire a snapshot of the system's RAM. During the process of preserving
    the RAM content, I ensured the stability of my internet connection and deliberately accessed various
    applications and diverse websites to maximize the capture of a broad spectrum of data.

    Roll no: Fa-2022/BS DFCS/003 Mahnoor Arshad Qureshi Page 2


    Computer Forensics Essentials
    January 31, 2024

    Subsequent to launching multiple applications and accessing various websites, I proceeded to initiate
    the DumpIt tool for the purpose of capturing the RAM content.

    Following the initiation of DumpIt, proceed with the acquisition process by confirming the action
    through the input of 'y'.

    Roll no: Fa-2022/BS DFCS/003 Mahnoor Arshad Qureshi Page 3


    Computer Forensics Essentials
    January 31, 2024

    Subsequently, as DumpIt commenced its operation, the procedural sequence unfolded, necessitating a
    period of time for the comprehensive capture of all pertinent data. The ongoing process is dedicated
    to meticulously retrieving and consolidating the diverse dataset from the system's RAM, reflecting the
    deliberate and thorough nature of the operation.

    After using 'DumpIt,' I examined the captured data at C:\Windows\System32\Desktop. I located the
    Dump (DMP) file, a comprehensive repository of intricately recorded RAM data crucial for in-depth
    analysis. My focus is on the System32 directory within Windows and the Desktop subdirectory, where
    I plan to extract valuable insights into my system's operational state during the data capture.

    Roll no: Fa-2022/BS DFCS/003 Mahnoor Arshad Qureshi Page 4


    Computer Forensics Essentials
    January 31, 2024

    Q.3 Analyze the captured image of RAM using any open source tool e.g. Bulk Extractor.

    Analyzing using Bulk Extractor

    Following are the steps to analyze the captured image of RAM using an open-source tool like Bulk
    Extractor:

    I. Install Bulk Extractor:

    Begin by downloading and installing Bulk Extractor, an open-source forensic tool designed for
    extracting information from disk images, file systems, and memory captures.

    II. Launch Bulk Extractor:

    Open the command-line interface on your analysis system. Navigate to the directory where Bulk
    Extractor is installed.

    III. Load Captured RAM Image:

    Use the tool's interface to load the captured RAM image file. This is typically done through the tool's
    file or image loading options.

    Roll no: Fa-2022/BS DFCS/003 Mahnoor Arshad Qureshi Page 5


    Computer Forensics Essentials
    January 31, 2024

    IV. Navigate to Tools Section:

    Explore the tool's interface to locate the "Tools" section or menu. Within the "Tools" section, look
    for an option to run Bulk Extractor. Click on this option to initiate the analysis process.

    V. Configure Analysis Settings:

    When prompted, select the captured RAM image file as the input. Choose or create an output feature
    directory where Bulk Extractor will store the results.

    Roll no: Fa-2022/BS DFCS/003 Mahnoor Arshad Qureshi Page 6


    Computer Forensics Essentials
    January 31, 2024

    VI. Select Scanners:

    Look for an option to choose scanners. Opt for the "Select All" option to ensure a comprehensive
    analysis using all available scanners.

    VII. Initiate Analysis:

    Click on the "Run" or "Start" button to begin the analysis. Keep an eye on the progress indicators or
    logs provided by Bulk Extractor. This will allow you to track the status of the analysis.
    VIII. Examine Results:

    Inspect text-based output files and any other generated files for relevant information. These may
    include details extracted from the RAM image, such as URLs, email addresses, and other artifacts.

    Roll no: Fa-2022/BS DFCS/003 Mahnoor Arshad Qureshi Page 7


    COMPUTER FORENSICS & ESSENTIALS

    Lahore Garrison University


    Mahnoor Arshad Qureshi
    Fa-2022-BS-DFCS/003

    Das könnte Ihnen auch gefallen