RevsUp Assignment: Wednesday July 22, 2015

Part 1 - Donna's Lab 03

resources:
Lab 03
mem.dmp
run.bat

Introduction

Click on the first link above to go to donna's lab 03. Go through the entire lab except the WinHex part near the bottom. Hopefully we can play around with WinHex on another day if time permits. You will pretend that the Microsoft Windows machine is both your trusted tool-providing-machine, as well as the target compromised-machine. There are essentially three parts to this lab. Make a folder on the local machine called revsup (if you dont already have one) under your revsup user account. In that folder make another folder called Lab03 and put your deliverables in there.

Part 1

In this part you are simply gathering tools for your toolkit that will be placed on your USB device. The deliverable is the checksum that she asks for. Call the file PreChecksum. Here is a link to Md5Deep. If this link doesnt work let me know and i will give you a copy of the tool. Try to put all of the tools in the USB's root directory. Also make sure to run Md5Deep before you create your log file.

Part 2

In this part you will be running your tools from your USB drive and recording the results in your log file. Make sure your log file has the output from all of the tools that were ran. Also remove any lingering commands in the log file. If I look at your log file I shouldnt see things like "chkdsk >> log", only the output from that command. Donna provides useful links for Microsoft Windows commands on the terminal. She also has a sample BAT file that is linked at the top of this page. Your deliverable for this phase is the log file.

Part 3

For the last part you will move your log file and PreChecksum files to your local machine if you have not done so already. Make sure your log file is NOT in your USB drive and then run Md5Deep again on your USB drive and store the results in a file called PostChecksum. Move PostChecksum to your local machine and then run sDelete to whipe your USB drive clean (donna has a link to sDelete amongst her other tools). Lastly analyze the memdump file on your local linux machine. I have included a link to this file at the top of this page. Make sure to not only use donna's commands to narrow down the list of executables, but also use your own commands to accomplish what she is asking. Your file should be around 200 lines. Look at the file and write down any executables that look suspicious in a file called lab03.txt, this will be your deliverable for this last part.