ISCS 3523 Hunting in Memory GOAL: Analyze the provided memory (KobayashiMaru.vmem) file for malicious activity. You can do this several ways. You could login to one of the Win-Hunt VMs available to you through SimSpace to access Volatility. Volatility is also on the Kali-Hunt VMs. If you have trouble using Volatility, consider accessing the SANS Memory Forensics Cheat Sheet. You can of course use other tools designed for memory forensics if you wish to analyze the memory. However, at a minimum you should answer and provide proof and/or reasoning to these questions---there is much more to find than what is here: 1. What operating system is the computer using? What version? 2. How much RAM is included in the analysis? 3. View the running processes. Does this look like your average box? a. What processes look abnormal? What makes them abnormal? 4. Can you find user account names? Passwords? 5. View the Dynamically Linked Libraries. Does this look like your average box? a. What DLLs look abnormal? 6. Can you associate any Processes (PIDs), DLLs, and executables? 7. View the files associated with the processes. a. Do any files or file paths look abnormal? Reference the file path if available. 8. Explain what you think happened to this box.
Added by Alexander R.
Close
Step 1
- Make sure the memory file `KobayashiMaru.vmem` is accessible to the system where you'll be performing the analysis. Show more…
Show all steps
Your feedback will help us improve your experience
Akash M and 61 other AP CS educators are ready to help you.
Ask a new question
Labs
Want to see this concept in action?
Explore this concept interactively to see how it behaves as you change inputs.
Key Concepts
Recommended Videos
Research the following system calls in the Xv6 environment by finding the source code files associated with them using the grep command as documented below: - getpid - kill - fork - open Once you have identified all the files containing source code, provide a list of those files and a one-line description of how that file is used to implement system calls (give your best guess answer, all reasonable answers will receive credit). There will be 5 files for getpid, 9 for kill, 8 for fork, and 5 for open.
Supreeta N.
An article in Information Security Technical Report ['Malicious Software-Past, Present and Future" (2004, Vol. 9, pp. $6-18$ )] provided the following data on the top ten malicious software instances for 2002 . The clear leader in the number of registered incidences for the year 2002 was the Internet worm "Klez," and it is still one of the most widespread threats. This virus was first detected on 26 October 2001 , and it has held the top spot among malicious software for the longest period in the history of virology. $$ \begin{array}{clc} \hline \text { Place } & \text { Name } & \text { \% Instances } \\ \hline 1 & \text { I-Worm.Klez } & 61.22 \% \\ 2 & \text { I-Worm.Lentin } & 20.52 \% \\ 3 & \text { I-Worm. Tanatos } & 2.09 \% \\ 4 & \text { I-Worm.BadtransII } & 1.31 \% \\ 5 & \text { Macro.Word97.Thus } & 1.19 \% \\ 6 & \text { I-Worm.Hybris } & 0.60 \% \\ 7 & \text { I-Worm.Bridex } & 0.32 \% \\ 8 & \text { I-Worm.Magistr } & 0.30 \% \\ 9 & \text { Win95.CIH } & 0.27 \% \\ 10 & \text { I-Worm.Sircam } & 0.24 \% \\ \hline \end{array} $$ The 10 most widespread malicious programs for 2002 (Source-Kaspersky Labs). Suppose that 20 malicious software instances are reported. Assume that the malicious sources can be assumed to be inde- pendent. (a) What is the probability that at least one instance is "Klez'? (b) What is the probability that three or more instances are "Klez"? (c) What are the mean and standard deviation of the number of "Klez" instances among the 20 reported?
Discrete Random Variables and Probability Distributions
Binomial Distribution
An article in Information Security Technical Report ["Malicious Software-Past, Present and Future" (2004, Vol. 9, pp. $6-18$ ) ] provided the following data on the top 10 malicious software instances for $2002 .$ The clear leader in the number of registered incidences for the year 2002 was the Internet worm "Klez," and it is still one of the most widespread threats. This virus was first detected on 26 October 2001 , and it has held the top spot among malicious software for the longest period in the history of virology. The 10 most widespread malicious programs for 2002 $$ \begin{array}{clc} \text { Place } & \text { Name } & \text { \% Instances } \\ \hline 1 & \text { I-Worm.Klez } & 61.22 \% \\ 2 & \text { I-Worm.Lentin } & 20.52 \% \\ 3 & \text { I-Worm.Tanatos } & 2.09 \% \\ 4 & \text { I-Worm.BadtransII } & 1.31 \% \\ 5 & \text { Macro.Word97.Thus } & 1.19 \% \\ 6 & \text { I-Worm.Hybris } & 0.60 \% \\ 7 & \text { I-Worm.Bridex } & 0.32 \% \\ 8 & \text { I-Worm.Magistr } & 0.30 \% \\ 9 & \text { Win95.CIH } & 0.27 \% \\ 10 & \text { I-Worm.Sircam } & 0.24 \% \end{array} $$ Suppose that 20 malicious software instances are reported. Assume that the malicious sources can be assumed to be independent. (a) What is the probability that at least one instance is "Klez?" (b) What is the probability that three or more instances are "Klez?" (c) What are the mean and standard deviation of the number of "Klez" instances among the 20 reported?
Recommended Textbooks
Computer Science and Information Technology
Introduction to Programming Using Python
Computer Science - An Overview
Transcript
Watch the video solution with this free unlock.
EMAIL
PASSWORD