Memory Analysis with Volatility Framework

The purpose of this exercise is to Perform memory acquisition and analysis.

Using VM machine.

Step$0$: Fire the SIFT VM up

Use this DNS number $(172\mathrm{.}28\mathrm{.}102\mathrm{.}11)$

$-$ Setup your SIFT VM network

Volatility Framework:

$1.$ Acquiring the Image:

$$ Start your SIFT VM

$$ Make sure to configure your VM$$s network,

$$ Go to the Download folder,

$$ Delete all the files$/$folders$.$

$$ Empty the Trashcan

$$ Start firefox and look for wannacry$\mathrm{.}7$z which is a ransomware

Download the memory image. Extract the image in the cases directory

Start a terminal:

$$ Change directory to cases directory $($using cd command$)$:

$$ list the content of the cases directory using ls command to make sure the image you extracted is already there.

$$ Start answering the following questions.

Q$1(10$p$)$: what is the suggested profile$/$s for the image?

Q$2(15$p$)$: Choose the second profile, what were the running processes in terms of parent$-$child relationships?

$$ Why did you think we chose the second profile?

$$ What process was created by PID $1940?$

Q$3(10$p$)$: Are there any hidden process? Pay more attention to PID $1940$ and PID $740.$ Answer by yes or no and then why

Q$4(15$p$)$: Identify DLLs and path where the process PID $1940$ has executed from? Do you see dropped binaries in uncommon folders? Answer using yes or no and state the evidence.

Q$5(15$p$)$: What were the last running commands by process PID $1940$ and $740?$

Q$6(15$p$)$: Look at the handles of PID $1940,$ has it created a mutex? Answer with yes or no$,$ and then name mutex $.$ Hint: use $-$mutuent after the $-$p $1940.$