Okay guys, thanks and welcome back, we're getting ready to dive into memory forensics now, and I wanted to go into this introduction of it. Essentially what we're going to be doing here is just continuing on with the same scenario. We've got all this stuff that we looked at with Zeke, we looked at it with Wireshark and now we're going down to different host levels. We know what the patterns look like in the network, we've identified it in several segments of the network. Now we're investigating a specifically concerning segment of network. Let's say this is like the financial services segment or something like that. And we found that on that part of the network that we do see the pattern, we see the traffic that looks like what we've identified already. And we found this one machine that appears to be a target of a lot of things we saw based on the traffic. So let's go to that machine, and what we're going to do is look at what the processes, how do you extract an image from it? And then we'll get that image over to our Kali and we will actually, at least start the process of investigating it. And then that will take us on to the next two sessions or the next part here, which is basically utilizing memory forensics tools to actually look at it and see what we can find in there, so let's get right to it. So here's our machine that we think maybe compromised, I'm using this tool right here, it's just called MRCV 120. It's really MRC version 12, is what it is, and I'm going to be using that as my tool to extract the memory missed. Remember, we assume, and we talked about this in the lecture part of this series or lecture part of this skills path where, when you think of machine may be compromised, a lot of times memory is the most valuable evidence. So we're going to immediately go ahead and run MRC to extract the memory, were going to tell it where we want to save it at, let's just save it right to the administrators profile here. And we're just going to call it, suspect machine, or, something shorter, let's just do, case1.raw, so we'll stick with what were named other things. So we go ahead and say that's what we want to do it, we start the acquisition. Right, and I've got this machine with low memory, with not a lot of memory, so this extraction process would go faster. If we were looking at 32 gigs of memory, this extraction might take 30 minutes or something like that. So we've got our memory file extracted, It's right here, so that's our raw memory dump. And now what we're going to do is I'm just going to simply pull that over, I'm going to push it over actually first to somewhere that I can get to it later. From our Kali machine. This case1.raw, so it is like two gig almost, so it's going to take in a minute to copy over. So we'll let that copy over and then once it's done we'll move over to our Kali and pull it down. Alright, so that successfully uploaded, now we're going to go ahead and move to our Kali machine and pull it down. Let's go back to case one, so I'm just going to go right to the same location. And now using simple tools here because I want you guys to be able to duplicate this. All right, so it's pulling into down, and again, we're going to give it time and we'll touch, pick back up when it's finished downloading. All right, so the memory file successfully got, the memory image successfully get downloaded. So now if we look in our directory here, we'll see that there is the case one raw file that is our memory image. So, one of the first things that you want to do, with volatility is, or whatever memory tool that you gotta use, is you first have to make sure that you know. Which. Operating system. You actually dump the memory from because the thing is, if you don't know that you might be telling your tools or run things and it can't run against that version. So we're going to be using a tool called volatility. All right, and let me just show you if we. Run it without any arguments. It basically just goes through and shows us what it's. Usage is, all right, so if we want to know something door dash H. So will do that to get its usage, and it tells us all the different things. All the different plugins that volatility has. So what you want to do with any tool to spend some time reading about it? Reading on how to utilize it. But the first thing we need to find out is, basically what the actual operating system is now I know what it is, but I'm going to show you how to find out in case you didn't know. So we first have to give volatility to dash F flag to tell it warden memory images and that's going to be case one that Rothfuss. All right, and then we can give it the call of image info. And what it does is it parses the entire memory image and gives you like a really, really good guess as to what the operating system is not. Like I said already, know what it is. But I'm letting this run, just so you can see what it looks like. And keep in mind, if you're doing this, it might take it a while to run, so we're going to probably cut this section of the video out. While this is running just so that you can see what the final product is. All right, so it's showing us what it thinks it is, what it's guessing it is and generally what you want to do is. It tell us here thinks it's 1 Seven Service Pack, whatever the case may be, there in the first thing you want to do is you can test that by giving volatility some very basic things to do. For example, I'm going to and this is how you tell it what you think it is. So that's going to be, I'm going to say, let's just guess. The win 7 SP0 here. And we're just guessing, we could be wrong. One thing to do is try to make it do something very basic. Something like PS list right? And that gives us a list of running processes, and if it works, then it's probably got the profile, right? And we can see that it absolutely does come in and list out like all the running processes, so we can move forward knowing that that is the proper profile with that. Now what ends up happening is, you can now use this to help you figure out things about what happens to be going on in memory, at the time that this dump is taken in. Remember, we think that this machine may currently be compromised or something like that, so we can utilize that information to help us actually go ahead and look for things. Now some of the stuff that we were looking for. Remember that exploit dot jar we can. Tell volatility to run like the strings command. Like so. And it didn't actually find one. So that means that we have to actually give it a strings file. But you can look at that and see how it works. We can also look for other things like, when the machine last shut down all the information that you could find in memory, you'll be able to find it here and we're going to see that. When we move into this a little bit later and look at all the different things that were able to do with these plugins that come with volatility. But the main thing here is distributing what we did. We went to a machine that we thought was compromised, based on what we saw in some other. Evidence there it's primarily this dizzy clogs that we looked at in the stuff that we found in Wireshark. And we went to that segment of the network, found a few machines at appear to be generating traffic, and now we went to that machine and we've taken a memory dump. We pull that memory dump over. Try investigator machine. Now we can. We've proven to ourselves that we know what the operating system for that memory dump is. Now we're ready to actually start looking deeper into it with volatility. So what we're going to do is we will. Stop this session here, and then the next part of this series will be actually diving into this with volatility. To see some of the things that we're able to see. Thanks for watching. This was meant to be an intro to how we get the memory image and we're going to get much, much, much deeper into it and have a lot more fun. See you in the next section.
