[go: up one dir, main page]
Scribd
Upload
10 views6 pages

Cyber Security Lab - Experiment 11

The document outlines a laboratory experiment using the FTK Imager tool for memory capture and analysis in digital forensics. It provides step-by-step instructions for downloading, installing, and using FTK Imager to capture memory dumps and validate image integrity, as well as utilizing the Volatility tool for analyzing the captured memory. The process is detailed for both Windows and Linux environments, including commands for memory analysis and validation of the memory dump.

Uploaded by

Bhanishankar Satyam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
10 views6 pages

Cyber Security Lab - Experiment 11

The document outlines a laboratory experiment using the FTK Imager tool for memory capture and analysis in digital forensics. It provides step-by-step instructions for downloading, installing, and using FTK Imager to capture memory dumps and validate image integrity, as well as utilizing the Volatility tool for analyzing the captured memory. The process is detailed for both Windows and Linux environments, including commands for memory analysis and validation of the memory dump.

Uploaded by

Bhanishankar Satyam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

SHRI VISHNU ENGINEERING COLLEGE FOR WOMEN

(Autonomous)
Department of Computer Science and Engineering

Experiment No 11: Perform Memory capture and analysis using FTK imager tool
Description:
FTK Imager is a free digital forensic tool by Access Data used for creating forensic images
(Data Acquisition), it generates an exact copy of the source data such as CDs, HDD, SDD,
USB, Files, Folder etcetera and also provides hash integrity checks in a report. It can be used
for collecting non-volatile data and volatile data (memory dump) as well.
This tool saves an image of a hard disk in one file or in segments that may be later on
reconstructed. It calculates MD5 and SHA1 hash values and can verify the integrity of the
data imaged is consistent with the created forensic image. The forensic image can be saved in
several formats, including DD/raw, E01, and AD1.
Steps:
1. Go to the URL: https://www.exterro.com/ftk-product-downloads/ftk-imager-4-7-3-81
2. Download by entering user details.

3. Run installation
SHRI VISHNU ENGINEERING COLLEGE FOR WOMEN
(Autonomous)
Department of Computer Science and Engineering

4. Launch FTK Imager Tool

5. Navigate to File → Capture Memory.

6. In the Capture Memory window:


Select Destination path on the external drive
Choose filename (e.g., MemoryDump001.mem).
Check options:
✔ "Include pagefile" (captures swapped memory content).
✔ "Create AD1 file" (optional, for forensic container format).
SHRI VISHNU ENGINEERING COLLEGE FOR WOMEN
(Autonomous)
Department of Computer Science and Engineering

7. Start Capture:
Click Capture Memory.
Wait for the acquisition process to finish (time depends on RAM size).
Verify that the .mem file is created successfully.

8. Validate Image Integrity:


 Open FTK Imager.
 Go to File → Add Evidence Item.
 Select Image File and browse to your memory dump (MemoryDump001.mem).
 After adding, right-click on the evidence item → Export File Hash List.
 FTK will generate MD5 and SHA1 hash values.
 Save them in your lab report.
SHRI VISHNU ENGINEERING COLLEGE FOR WOMEN
(Autonomous)
Department of Computer Science and Engineering

9. Analyze Memory Image:


 Download Volatility Tool from:
https://sourceforge.net/projects/forensiczone/files/PTFinder2018/volatility
_2.6_win64_standalone.exe.
 Save the EXE to a folder on your forensic workstation, e.g., C:\Volatility\.
 Open Command Prompt as Administrator and navigate to that folder: cd C:\
Volatility
 Run volatility.exe -h (or volatility_2.6_win64_standalone.exe -h) to confirm it
works and view available plugin commands.
 volatility -f MemoryDump001.mem imageinfo → Identify OS profile.
SHRI VISHNU ENGINEERING COLLEGE FOR WOMEN
(Autonomous)
Department of Computer Science and Engineering

 volatility -f MemoryDump001.mem --profile=Win7SP1x64 pslist → List active


processes.

 volatility -f MemoryDump001.mem --profile=Win7SP1x64 netscan → Show active


network connections.

 volatility -f MemoryDump001.mem --profile=Win7SP1x64 dlllist → Loaded DLLs.

 volatility -f MemoryDump001.mem --profile=Win7SP1x64 hivelist → Registry hives.

 volatility -f MemoryDump001.mem --profile=Win7SP1x64 filescan → Search for


open files.
SHRI VISHNU ENGINEERING COLLEGE FOR WOMEN
(Autonomous)
Department of Computer Science and Engineering

Ubuntu/Kali Linux
1.Install FTK Imager (Linux version)

FTK Imager Lite (Linux) is available from AccessData’s site (needs registration).

After download, extract it:

tar -xvf ftk-imager-lite-3.1.1.tar.gz

cd ftk-imager-lite-3.1.1
sudo ./ftkimager

2.Install Volatility Framework

sudo apt update

sudo apt install volatility -y


3.Capture Memory

Using FTK Imager (GUI/CLI)

 Run: sudo ./ftkimager --capture-memory /home/user/memdump.mem


4.Validate Memory Dump
md5sum /home/user/memdump.mem
sha1sum /home/user/memdump.mem

5.Analyze with Volatility

Identify Image Info: volatility -f /home/user/memdump.mem imageinfo

Suggested Profile(s): LinuxUbuntu1604x64, LinuxUbuntu1804x64

6.List Processes

volatility -f /home/user/memdump.mem --profile=LinuxUbuntu1804x64 linux_pslist

7.List Network Connections

volatility -f /home/user/memdump.mem --profile=LinuxUbuntu1804x64 linux_netstat

You might also like