Digital Forensics
Due Thursday, March 17th

Assignment 3: Elementary Process Memory Analysis, Windows

Your assignment is to analyze the following four files collected with pmdump.exe from a Windows 2008 server.

File as collected by pmdump Process name Process id md5sum sha1sum
iexplore-2292 iexplore.exe 2292 fe2d2922ea3576070cbaf46722a8dc73 3ebd60cea250907320698f03aa0f2faad46b845c
notepad-3892 notepad.exe 3892 0df683050e956e88d6bd80ad3267fc65 737358e58511a1cf7e376ab987cdd826ee49e8e9
winscp425-3476 winscp425.exe 3476 147d3b7dec29552c88ba2de8238f7058 9c2fa8d582c2dbd0f0b6f88d25567ed3552dbb61
winscp425-3792 winscp425.exe 3792 a7e90a51b889a4efe89f54592ca8e211 2865b6132e3a3b23c38ac444fccd16604e1afb1c

I will leave it up to you to decide what tools you wish to extract information from these memory dumps, but I will note that there is significant discussion of pmdump at pp. 161-162 of Malware Forensics.

I am looking for (1) an analysis of what kind of information that you hope to find based on intelligent guesses developed from the process names (2) how much useful raw data you are able to extract (3) how well you can then analyze the raw data to come up with descriptions of what the processes are and what they have been doing.

I expect only one work product, a printed write-up. Please bring the write-up to class on Thursday.

Deliverables: For the write-up, create a short narrative of your experiences and include extracts showing relevant raw data. Describe what programs you used for analysis, and what operating systems you used to run these programs. Finally, I want descriptions of your guesses as to (1) what the processes are and (2) what they have been doing.

Print out the write-up of your experiences, and give that to me at the beginning of class on March 17th.