Digital Forensics
Due Monday, March 4th.

Assignment 1: Process Memory Analysis, Windows

Your assignment is to analyze the following four files collected with Taskmanager's built-in process dumper from a Windows 7 client machine:

In the following table, there are four fields: the first is the dump file, which you can download. The second is the process image name given by Taskmanager. The third field is a md5sum of the dump file. The fourth field is a sha1sum of the dump file. (The last two are given so that you can verify that you successfully downloaded the files in the correct binary format.)

File as collected by Taskmanager Process image name md5sum sha1sum
chrome.DMP chrome ddc7277eca4c7de76421f5b2bfbb347e f5a2e970dbb37c296a2c35c16c0130a54692a312
iexplore.DMP iexplore 9712ffab7f117dc0171b64f504f82ae2 047da05aa801926067ddb29e5c02ecd17c9bcf11
ollydbg.DMP ollydbg 8361f2495cb244b91e2333a49b0ee538 c60dddb3f7dae50ccdda3a52bd9f9d0f7e59a607
PEview.DMP PEview 3fc00a227add71ecb2cc3ac69801f5f9 7a06d081e149b1deba6958b9f129a37804e08bb3

File as collected by Taskmanager	Process image name	md5sum	sha1sum
`chrome.DMP`	`chrome`	`ddc7277eca4c7de76421f5b2bfbb347e`	`f5a2e970dbb37c296a2c35c16c0130a54692a312`
`iexplore.DMP`	`iexplore`	`9712ffab7f117dc0171b64f504f82ae2`	`047da05aa801926067ddb29e5c02ecd17c9bcf11`
`ollydbg.DMP`	`ollydbg`	`8361f2495cb244b91e2333a49b0ee538`	`c60dddb3f7dae50ccdda3a52bd9f9d0f7e59a607`
`PEview.DMP`	`PEview`	`3fc00a227add71ecb2cc3ac69801f5f9`	`7a06d081e149b1deba6958b9f129a37804e08bb3`

I will leave it up to you to decide what tools you wish to extract information from these memory dumps, but I will note that there is relevant discussion of working with process dumps in Malware Forensics.

I am looking for (1) an analysis of what kind of information that you hope to find based on intelligent guesses developed from the process names (2) how much useful raw data you are able to extract (3) how well you can then analyze the raw data to come up with descriptions of what the processes are and what they have been doing.

I expect only one work product, a printed write-up. Please bring the write-up to class on Monday, March 4th.

This is not a collaborative assignment. Please do not discuss your work on this assignment with your classmates.

Deliverables: For the write-up, create a short narrative of your experiences and include extracts showing relevant raw data. Describe what programs you used for analysis, and what operating systems you used to run these programs. Finally, I want descriptions of your guesses as to (1) what the processes are and (2) what they have been doing.

Print out the write-up of your experiences, and give that to me at the beginning of class on March 4th.

Digital Forensics Due Monday, March 4th.

Digital Forensics
Due Monday, March 4th.