CST 3510 Week 1 Lab Exercises A

Virtual Machines
Before we start to look at memory analysis itself we need to make sure we are working within
a suitable environment. In this lab we will be learning how to create and setup a virtual
machine using VirtualBox. We will then take a look at the VM we will be using for our analysis.

Introduction
Virtual Machines provide a whole virtual environment that imitates a physical one. A virtual
machine limits resources such as: RAM and ROM memory, network interface, monitor, etc.
There are several systems that manage virtual machines, such as VirtualBox, VMWare or
QEMU. For this modules labs will use VirtualBox and it is installed on all of the lab machines.
The use of virtual machines provides a number of advantages to those engaged in Memory
analysis

1. Isolation
Provide a controlled environment and prevents contamination of evidence.
2. Reproducibiity
The same environment can be recreated any number of times, allowing for verification
and accuracy.
3. Snapshots
Can be created capturing the system state at given points in time.
4. Configurability
Ability to create any configuration of hardware/software/OS.
5. Research/Training
Provide a safe environment to learn new techniques and threats without risk to the
hosting physical system

Lab Goals

For today’s Lab they key aim is to become famiilar and comfortable working with some of
the tools we will use on the module

1. Learn how to build your own virtual machine from scratch.

2. Learn about managing configuration and settings in VirtualBox.
3. Boot up the Lab analysis machine for the first time.

CST3510 Week 1 Lab Exercises A 1 ©2024 d.neilson@mdx.ac.uk

Tools and Resources
For today’s Lab you will require the following tools and software;

• VirtualBox – An open-source virtual machine system.

• ISO Installer for Kali Linux – A Linux based investigative environment.
• MemoryAnalysis.ova - The main VM you will use for the majority of the analysis you
perform on the module (details provided below).
• At least 25GB in disk space

Exercises
In this weeks exercises there some steps which you will notice we were not required to do as
for example a piece of software is already installed. There are two main reasons for this. Firstly
Virtualbox updates its software and Kali also updates its software, for example Kali recently
removed having volatility installed by default on its OS.The reason they have been left in is so
that you can practice things you will need to do in the coming weeks and also in case you deal
with other problematic systems in the future.

Exercise 1 - Virtual Machines

1. Create A Virtual Machine with Kali Linux

The first thing we need to do is download the Operating System (OS) and it can take some
time, we will start with the download first. We need to download a system ISO to install the
OS. Go to Kali's webpage - https://www.kali.org/
Go to Downloads and Download Kali Linux. Select a Kali Linux 64-bit (Installer). The file is
normally around 4Gb. While it is downloading you can start the Virtualbox software and you
will be presented with the main screen as shown below in figure 1.

Figure 1. VirtualBox Manager Main Screen

CST3510 Week 1 Lab Exercises A 2 ©2024 d.neilson@mdx.ac.uk

Press New to create a new Virtual Machine. This will give you a set of options shown in figure
2 below. First, you need to choose a name for your machine. We will call it MemTest1. Next
select the ISO Image field and select the ISO of the Kali OS you have just downloaded. The
Virtual Machine adds an optical drive and places this into the virtual drive of our new VM.

Figure 2.Create Virtual Machine Window

Now you can choose the hardware components for your virtual system (figure 3). Firstly we
need to allocate RAM memory. 2Gb (2048Mb) should be sufficient to install our Kali system.
One processor will be more than enough for what we are doing during the course of the
module.

Figure 3. Selecting VM main components

Next VirtualBox asks how much secondary memory you want to use (figure 4). Select the
option to create a virtual hard disk and the memory size to 20Gb. Let the memory be

CST3510 Week 1 Lab Exercises A 3 ©2024 d.neilson@mdx.ac.uk

dynamically allocated. For the file location and size, you can leave the default values and
should look similar to the image shown in figure 4 on the next page.

Figure 4. Allocating hard disk space for the VM

The next screen provides a summary for checking and then select finish. You will notice on
the main screen that your device has been added and some of the details can be viewed.

2. Check Virtual Machine settings

You will now see that the VM has been added to the VM Manager and we need to check a
few of the settings, select this option. If you click on the various fields on the left hand side
you will notice some of the specifciation we just entered. If you click on the the storage tab it
will let you understand a little bit more about how virtual machines work and is shown below
in figure 5.

Figure 5. Checking the VM settings

CST3510 Week 1 Lab Exercises A 4 ©2024 d.neilson@mdx.ac.uk

You can see that there are two storage controllers listed as being present in the system. Under
the IDE Controller you can see the name of the ISO file for the OS. This controller is essentially
a virtual optical drive and we have placed an ISO just as you would a real CD/DVD into a disk
drive. You will use this again next week when we setup shared folders for acquisition. In the
controller below this one you can see that a SATA Controller has been specified for the HDD.

3. Install Operating System onto the Virtual Machine

Now we have our virtual machine, but we want to install an Operating System(OS) in it, to be
precise, a Kali Linux system. The boot order of the device dictates that it will try to load from
the optical drive before the HDD, which will load the installation media (ISO) for the OS. Click
on start to power on the virtual machine.

You will notice that it has created a very small window in which to view the content. If you
select the view tab followed by the virtual screen 1 menu item at the bottom – you can select
a different size to suit you. For now select the value that has “(autoscaled)” beside it and this
should make it viewable. It will boot into the main starting screen and you need to select the
first in the list - Graphical Install (figure 6).

Figure 6. OS Installation

Proceed through all of the options selecting the default one each time and if you are unsure
then please ask for help. Make sure to keep a note of the username and password. During the
installation, you might find an error with the configuration of the package manager. In that
case, skip this step. Just go back and say 'Yes' to the option of continue without mirroring.
During the process, the system might ask you where to install the GRUB, select /dev/sda.
Once the installation finishes, select continue which will reboot the machine and log in with
the credemtials you used when setting up. If the system loads into it’s GUI then you have
successfully installed the virtual machine and the Operating System.

CST3510 Week 1 Lab Exercises A 5 ©2024 d.neilson@mdx.ac.uk

Next power down the machine by closing the window or selecting the File tab > Close. This
will bring up a window and select the option to power off the machine. This is the same as
removing the cable from the back of the machine or holding down the power button which
means that its state will not be saved

4. Use the Virtual Machine

The virtual machine behaves as a normal system computer system, and due to the fact it is a
virtual machine, a few little tricks to make our work easier. For example you can setup the
clipboard to allow copying and pasting between your host system and the VM which can be
helpful when needing to copy a lot of code. This can be found by selecting from the menu bar
Devices > Drag and Drop > Select your preference.

Update System

Before you proceed, if you did not install the package manager, then you need to set them
up. The package manager for Debian based systems is APT (Advanced Package Tool), and is
used to make the installation of software and their associated libraries easier. To check
whether it has been installed we need to go to the file /etc/apt/sources.list. To do this enter
the following command at the terminal:

$> sudo nano /etc/apt/sources.list

Nano is one of many text editors available in Linux and we will be viewing text files during the
module and contents of file are shown in figure 8 below.

Figure 7. Contents of /etc/apt/sources.list

If the package manager has been installed then you should be able to see the following line
uncommented:

deb http://http.kali.org/kali kali-rolling main non-free contrib

CST3510 Week 1 Lab Exercises A 6 ©2024 d.neilson@mdx.ac.uk

As can be seen in figure 8, the required line is present and there is no need to edit and can
use Ctrl-X to exit the file. If it is not present then enter the line into the text and comment out
any other lilnes that are not already using the # symbol. Once complete use Ctrl-O to save
which will prompt for the filename – just hit enter to keep the same. Then Ctrl-X to exit.

Shared Folders

The most relevant things that we will need to use in memory analysis are memory dumps.
These files are normally big (2, 4 or 16Gb), and it is time consuming to upload them or
download them into the Virtual Machine. Therefore, it is necessary to have a shared folder
between our host system and the virtual machine.To create a shared folder, open the virtual
machine and select Devices->Shared Folders-> Shared Folders Settings. Select the icon for
adding a new folder and it should bring up the window shown in figure 8 below.

Figure 8. Setting up a shared folder

Choose a folder in your system that will be the shared folder and fill out the rest as written in
Figure 8, making sure to tick the checkbox Auto-mount. The mount point is the file system
location in the virtual machine. To check it has been successful click on the File System icon
on the desktop and go to the mount point location. You should see a directory with that name
under a folder icon.

However for the vast majority of time you will need to navigate the file system using the
command line. Open a terminal and type the following:

> ls /media

Figure 9. Listing contents of /media to view shared folder

CST3510 Week 1 Lab Exercises A 7 ©2024 d.neilson@mdx.ac.uk

This lists the contents of the media directory and you should see the testShare directory listed
as it does in figure 9 above (circled red), seek help from your lab tutor if it hasn’t. Now you
can install VirtualBox tools and other required software:

$> sudo apt-get update

$> sudo apt-get install linux-headers*
$> sudo apt-get install virtualbox-guest-x11

Add your user to vboxsf group to give yourself permission on the folder:
$> sudo adduser [username you created] vboxsf

You should find that the last two commands were already on the system. Reboot the system.

$> sudo reboot

Test the shared folder

To test that the shared folder is working please copy a small file into the directory you have
set up in the host system (not the VM). Once you have done this use the following command
to list the contents of the directory:

$> ls /media/testShare

If you are unable to see the file that you have copied, please ask your lab tutor for help, or
try the steps listed below. If you have found the file then you can move onto the next
exercise.

CST3510 Week 1 Lab Exercises A 8 ©2024 d.neilson@mdx.ac.uk

Exercise 2 – The Modules VM’s and Memory Dumps

1. Principal Analysis Machine

The next virtual machine that we are going to use is the principal machine and this will be
used during the course of the module for all of the analysis that takes place. This comes in the
form of an .ova file which allows us to transport VM’s between devices. On your lab machine
a folder has been created on the C:\ drive named “CST3510”. Inside here you will find a copy
of the 3 main VM’s for the module all kept in .ova file format. The .ova format is one that
allow you to export a vritual machine to use on another device.To open the file with
VirtualBox use “File- >Import Appliance” and use the default configuration to import the
machine.

The credentials for the Kali machine are:

Machine Username Password

Kali kali MDXK4l1

This VM can also can be also be downloaded via the following link when working from home
but is a little slow to use in the Labs:
https://drive.google.com/file/d/1meFmjw9NW6vV-JVaiPovLN5iiBYK8p76/view?usp=share_link

It will take a few minutes to process everything and once complete will be listed as one of
the machines in the VirtulBox Manager window.

2. Potential Conflicts

Before booting it up you need to configure with respect to the current system you are working
from, as this VM was created on another machine and should always be checked prior to
starting it for the first time.

Display Adapter

Select the display tab and you will notice at the bottom that there is a hazard sign (figure 11
below). This obviously indicates a problem and if you hover the mouse cursor over the icon,
it will tell what is recommended for the current host system. Select the graphics controller
box and change to the recommended one. Note that this may change depending on the
system you try to import the VM to, so always check it is the correct one. Once the correct
adapter has been selected, the hazard sign will disappear.

CST3510 Week 1 Lab Exercises A 9 ©2024 d.neilson@mdx.ac.uk

 Figure 10. Display adapter settings

Network Adapter

The type of network adapter you require will obviously differ depending on your specific
circumstances but for our labs please set it to NAT (see figure 11). Network Address
Translation (NAT) is the most simple way to access external networks while using the VM.
While it does have some severe limitations, for the purposes of our lab we have no need to
deviate from this and not complicate things too much. If you wish to read about the
limitations and the various other network modes/adapters please go to the following link in
your own time:
https://www.virtualbox.org/manual/ch06.html#nat-limitations

Figure 11. Network adapter settings

CST3510 Week 1 Lab Exercises A 10 ©2024 d.neilson@mdx.ac.uk

Shared Folders
Select the machine from the menu and select Settings > Shared Folders and you will see in
figure 10 that a folder has already already created.

Click on this button

to edit the current
one setup.

Figure 12. Editing the shared folder

You will need to change the configuration to suit the current setup and the only thing that
needs changing is the “folder path field” to the same folder you used when you created your
own VM in exercise 1 – it should match the details shown in figure 8 during the first exercise.

USB Adapters

There shoud not be any for this VM but in case you have problems with the USB controller,
go to the “Settings Menu” from the virtual machine and select Ports. Then, select USB. Here,
you just need to remove the USB from the enabled devices. Connecting USB devices to VM’s
is a very commong problem and if looking just to move files onto the OS then doing so via
shared folder is the easiest option.

Figure 13. USB Controller options

CST3510 Week 1 Lab Exercises A 11 ©2024 d.neilson@mdx.ac.uk

3. Test the Virtual Machine

Once you have completed testing the settings, close the settings window and press start and
the VM will begin to boot. Once loaded it will prompt you for your credentials, use those given
on page 9 of this handout. The first time you boot this VM it loads a browser and blocks th vie
wof the desktop which can make things messy. Close all open windows before continuing.

Snapshots
Another useful feature when working with VM’s is the snapshot feature. This lets you save
the working state of the machine at a given point in time which can save a lot of time when
performing analysis. To create one select from the menu: Machine > Take Snapshot. Provide
a name and description which serve as reminders for why the snapshot was taken. In this
instance you have taken one so that you can return the VM to its original state – I usually call
this one ‘First boot’ but feel free to choose your own. It is good practice to create one at the
start of your work so that you can always return to the same state if you feel you may have
corrupted something. In addition this, if the system crashes

Exercise 1
Using the steps from the previous exercise (page 8), verify that you have set up
the shared folder of this VM correctly.

4. Shutting down the VM

Before we finish up need to shutdown the virtual machine and there are a few options when
doing this as are shown in the screenshot below (figure 14).

Figure 14. Options for shutting down the VM

CST3510 Week 1 Lab Exercises A 12 ©2024 d.neilson@mdx.ac.uk

• Save the machine state
o Selecting this option will allow you to restart your virtual machine in exactly the
same state as it is at the current point in time.
o This is useful because you do not need to waste time booting up and getting
setup.
o This option is only possible if you can be sure that the VirtualBox’s location for
saving VM’s is secure.

• Send the shutdown signal.

o This is equivalent to shutting the OS manually and will trigger its relevant
shutdown routine.
o This will ensure the system saves any necessary data.

• Power off the machine.

o This is the virtual equivalent of removing the cable from the back of the device.
o May cause OS errors on reboot due to not shutting down correctly e.g. Disk
check.

For this week select the first option as we will be using the same machine in the next Lab
exercises today.

5. Lab Summary

This lab is designed to give some familiarity with the environments we will use extensively
during the course of the module. Although we will provide virtual machines with the relevant
software, it is good to understand them to be able to modify whatever you need for your own
analysis purposes. You have also learnt that we will be working a lot from the command line
and this will be the case for the duration of the module. In the next set of Lab Exercsises for
this week you will use the Lab VM to perform your own analysis of some memory dumps
taken from some Windows systems.

CST3510 Week 1 Lab Exercises A 13 ©2024 d.neilson@mdx.ac.uk