Set Up to More Memory Forensics!

I -really- wanted to make this a cheesy video, but in the interest of time and saving what internet respect I have left I decided screen shots and a storyline would suffice:

 
 Monday 9am. I log onto my computer ready to face the day. I check some e-mails, I read some news sites, look at pictures of cute baby animals... you know important things. It was all going fine until...

I see this text file appear on my desktop... its called 'pwned'. What does -that- mean? I didn't put it there!
I have never seen anything like it before... so I click on it


  

"Gotcha'. I did not know I was playing tag?? What does that mean? Have I been hacked? Oh my goodness if my company finds out I am in so much trouble, what after the Christmas party debauchery last year....

Luckily my cube buddy is a bit savvy on computer so she comes over to take a dabble. "Have you been browsing the internet lately?" she asked inquisitively. "No, I do not do that on company time", I lied meekly, "I only checked my mail and visited some links... I don't trust that internet." I think she was impressed by my response because she stared at me for a while (in respect I am sure).

The commands she ran and subsequent output are here:


>netstat -ano > victim_Netstat.txt

 >WMIC /OUTPUT:C:\victimProcessList.txt PROCESS get Caption, Commandline, Processid

 

Caption	CommandLine	ProcessId
System	Idle	0
System		4
smss.exe	\SystemRoot\System32\smss.exe	548
csrss.exe	C:\WINDOWS\system32\csrss.exe	608
winlogon.exe	winlogon.exe	632
services.exe	C:\WINDOWS\system32\services.exe	676
lsass.exe	C:\WINDOWS\system32\lsass.exe	688
vmacthlp.exe	C:\Program Files\VMware\VMware Tools\vmacthlp.exe	848
svchost.exe	C:\WINDOWS\system32\svchost -k DcomLaunch	896
svchost.exe	C:\WINDOWS\system32\svchost -k rpcss	980
svchost.exe	C:\WINDOWS\System32\svchost.exe -k netsvcs	1072
svchost.exe	C:\WINDOWS\system32\svchost.exe -k NetworkService	1140
svchost.exe	C:\WINDOWS\system32\svchost.exe -k LocalService	1304
spoolsv.exe	C:\WINDOWS\system32\spoolsv.exe	1512
explorer.exe	C:\WINDOWS\Explorer.EXE	1600
VMwareTray.exe	C:\Program Files\VMware\VMware Tools\VMwareTray.exe	2020
VMwareUser.exe	C:\Program Files\VMware\VMware Tools\VMwareUser.exe	2032
VMwareService.exe	C:\Program Files\VMware\VMware Tools\VMwareService.exe	1712
alg.exe	C:\WINDOWS\System32\alg.exe	736
wscntfy.exe	C:\WINDOWS\system32\wscntfy.exe	1020
cmd.exe	C:\WINDOWS\system32\cmd.exe	1412
taskmgr.exe	C:\WINDOWS\system32\taskmgr.exe	1108
cmd.exe	C:\WINDOWS\system32\cmd.exe	1324
wmic.exe	wmic	364
wmiprvse.exe	C:\WINDOWS\system32\wbem\wmiprvse.exe	1316

>net start


These Windows services are started:

   Application Layer Gateway Service
   Automatic Updates
   COM+ Event System
   Computer Browser
   Cryptographic Services
   DCOM Server Process Launcher
   DHCP Client
   Distributed Link Tracking Client
   DNS Client
   Error Reporting Service
   Event Log
   Fast User Switching Compatibility
   Help and Support
   IPSEC Services
   Logical Disk Manager
   Network Connections
   Network Location Awareness (NLA)
   Plug and Play
   Print Spooler
   Protected Storage
   Remote Procedure Call (RPC)
   Remote Registry
   Secondary Logon
   Security Accounts Manager
   Security Center
   Server
   Shell Hardware Detection
   SSDP Discovery Service
   System Event Notification
   System Restore Service
   Task Scheduler
   TCP/IP NetBIOS Helper
   Terminal Services
   Themes
   VMware Physical Disk Helper Service
   VMware Tools Service
   WebClient
   Windows Audio
   Windows Firewall/Internet Connection Sharing (ICS)
   Windows Image Acquisition (WIA)
   Windows Management Instrumentation
   Windows Time
   Wireless Zero Configuration
   Workstation

"So, what I did was see what connection you have to your machine, what processes you have running, and what services you have started," my co-worker explained. "And besides the connection to port 4444 I do not see anything weird going on, but I do not see anything with the process ID either so that makes me worried..." 

"Look all I did was turn on my machine and look at some puppies. I didn't start any services or whatever you said." I was starting to get annoyed now because she was getting into my coffee break time. 

"Let me just do a memory dump and take a closer look, I am sure we will get to the bottom of this.... and then you can get your coffee."

See how I did that? I will use my video to mimic the investigation based on what we learned from the command line outputs. Classic. 

Not today though, I have many other things to do today. I am picking up my Learning Perl book again in hopes to getting thru Chapter 5 (hashes), doing a bit more German learning on Rosetta Stone, and then maybe starting to go thru "Digital Forensics with Open Source Tools" written by Harlan Carvey and Cory Altheide. The book I hope will expose me to a ton more tools (which are free) and give me a better understanding of what can be accomplished through them. Sometimes those new shiny tools just don't work and you have to have something to fall back on :)

If you haven't gone to Harlan or Cory's blog I definitely suggest you do, these guys are great sources of new tools and processes out in the field. I also want to thank Harlan for giving me credit on his blog, I was totally shocked to see someone I have looked up to for his continuing work taking an interest in my work-- its a good feeling and I hope not to disappoint :)

Before I head off into the void, if anyone out there is curious about the (uber wonderful) world of Linux for forensics/IR I suggest you go to Girl,Unallocated and look for her "Crossing the River Linux" posts. Plus I love her sense of humor, and if she really does live in Utah I am insanely jealous (one reason is this).

Ok time to make spooky cupcakes... enjoy your Sunday everyone!