Your assignment is to analyze the following four files collected with pmdump.exe from a Windows 2008 server.
| File as collected by pmdump | Process name | Process id | md5sum | sha1sum |
|---|---|---|---|---|
| iexplore-2292 | iexplore.exe | 2292 | fe2d2922ea3576070cbaf46722a8dc73 | 3ebd60cea250907320698f03aa0f2faad46b845c |
| notepad-3892 | notepad.exe | 3892 | 0df683050e956e88d6bd80ad3267fc65 | 737358e58511a1cf7e376ab987cdd826ee49e8e9 |
| winscp425-3476 | winscp425.exe | 3476 | 147d3b7dec29552c88ba2de8238f7058 | 9c2fa8d582c2dbd0f0b6f88d25567ed3552dbb61 |
| winscp425-3792 | winscp425.exe | 3792 | a7e90a51b889a4efe89f54592ca8e211 | 2865b6132e3a3b23c38ac444fccd16604e1afb1c |
I will leave it up to you to decide what tools you wish to extract information from these memory dumps, but I will note that there is significant discussion of pmdump at pp. 161-162 of Malware Forensics.
I am looking for (1) an analysis of what kind of information that you hope to find based on intelligent guesses developed from the process names (2) how much useful raw data you are able to extract (3) how well you can then analyze the raw data to come up with descriptions of what the processes are and what they have been doing.
I expect only one work product, a printed write-up. Please bring the write-up to class on Thursday.
Deliverables: For the write-up, create a short narrative of your experiences and include extracts showing relevant raw data. Describe what programs you used for analysis, and what operating systems you used to run these programs. Finally, I want descriptions of your guesses as to (1) what the processes are and (2) what they have been doing.
Print out the write-up of your experiences, and give that to me at the beginning of class on February 18th.