(Helix: Lesson 4)

{ Dump Window's Physical Memory Using NetCat to BackTrack }

Section 0. Background Information

Helix3 is a Live CD built on top of Ubuntu. It focuses on incident response and computer forensics. According to Helix3 Support Forum, e-fense is no longer planning on updating the free version of Helix.
- See http://www.e-fense.com/products.php
Pre-Requisite Lesson
- Volatility: Lesson 1: Installing Volatility on BackTrack 5 R1
Lab Notes
- In this lab we will do the following:
  1. Download Helix2008R1.iso
  2. Start Netcat Listener on BackTrack
  3. Open Notepad, Solitaire and Internet Explorer
  4. Acquired a physical memory dump from Damn Vulnerable WXP-SP2 using Helix.
  5. Use a Netcat Listener on BackTrack to Capture the Helix Memory Dump
Next Lesson
- Volatility: Lesson 2: Analyzing Memory Capture for Windows XP SP2
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2012 No content replication of any kind is allowed without express written permission.

Section 1: Download Helix

Open Firefox on your (Host Windows Machine).
- Instructions:
  1. Click the Start Button
  2. Type "Firefox" in the search box
  3. Click on Mozilla Firefox
Download Helix2008R1.iso
- Instructions:
  1. Navigate to the following Link
    - http://helix.onofri.org/Helix2008R1.iso
  2. Click the Save File radio button
  3. Click the OK button
Save Helix2008R1.iso
- Instructions:
  1. Navigate the following Download Location
    - C:\ISOs or USB:\ISOs
    - Note: In my case, I am using a USB Drive (G:)
  2. File name: Helix2008R1
  3. Save as types: ISO Image File
  4. Click the Save button

Section 2: Start Up BackTrack Machine

Open VMware Player on your (Host Windows Machine).
- Instructions:
  1. Click the Start Button
  2. Type "vmware player" in the search box
  3. Click on VMware Player
Edit the BackTrack5R1 VM
- Instructions:
  1. Select BackTrack5R1 VM
  2. Click Edit virtual machine settings
Edit Virtual Machine Settings
- Instructions:
  1. Click on Network Adapter
  2. Click on the Bridged Radio button
  3. Click on the OK Button
Play the BackTrack5R1 VM
- Instructions:
  1. Click on the BackTrack5R1 VM
  2. Click on Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx
Start up a terminal window
- Instructions:
  1. Click on the Terminal Window
Obtain the IP Address
- Instructions:
  1. ifconfig -a
- Note(FYI):
  - My IP address 192.168.1.112.
  - In your case, it will probably be different.
  - This is the machine that will be use to attack the victim machine (Metasploitable).
Start Up Netcat on BackTrack
- Instructions:
  1. mkdir -p /var/forensics/images
    - If you have already Completed Autopsy Lesson 1, then this directory should already exist.
  2. cd /var/forensics/images
  3. nc -l -vvv -p 8888 > WV01_clean.dd
    - Netcat will listen for Helix to send the Memory Image.

Section 3: Start Up Damn Vulnerable WXP-SP2

Open VMware Player on your (Host Windows Machine).
- Instructions:
  1. Click the Start Button
  2. Type "vmware player" in the search box
  3. Click on VMware Player
Edit Virtual Machine Settings
- Instructions:
  1. Click on Damn Vulnerable WXP-SP2
  2. Edit Virtual Machine Settings
- Note:
  - Before beginning a lesson it is necessary to check the following VM settings.
Set Network Adapter
- Instructions:
  1. Click on Network Adapter
  2. Click on the radio button "Bridged: Connected directly to the physical network".
  3. Click the OK Button
Start Up Damn Vulnerable WXP-SP2.
- Instructions:
  1. Start Up your VMware Player
  2. Play virtual machine
Logging into Damn Vulnerable WXP-SP2.
- Instructions:
  1. Click on Administrator
  2. Password: Supply Password
    - (See Note)
  3. Press <Enter> or Click the Arrow
- Note(FYI):
  1. Password was created in (Lab 1, Section 1, Step 8)
Open the Command Prompt
- Instructions:
  1. Click the Start Button
  2. All Programs --> Accessories --> Command Prompt
Obtain Damn Vulnerable WXP-SP2's IP Address
- Instructions:
  1. ipconfig
  2. Record Your IP Address
- Note(FYI):
  - In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
  - This is the IP Address of the Virtual Machine from which we will use Helix to capture a memory dump.
  - Do not close the command prompt.

Section 4: Start Up Notepad, Command Prompt, Solitaire & Internet Explorer

Start Up NotePad
- Instructions:
  1. Click the Start Button
  2. All Programs --> Accessories --> Notepad
Start Up Solitaire
- Instructions:
  1. Click the Start Button
  2. All Programs --> Games --> Solitaire
Start Up Internet Explorer
- Instructions:
  1. Click the Start Button
  2. All Programs --> Internet Explorer
  3. Navigate to http://www.cnn.com
Verifying Applications
- Note(FYI):
  - The following applications should be running:
    1. Command Prompt
    2. Notepad
    3. Solitaire
    4. Internet Explorer

Section 5: Loading Helix2008R1

Edit Virtual Machine Settings
- Instructions:
  1. Player --> Manage --> Virtual Machine Settings...
Configure Windows to load the Helix iso as a CD/DVD
- Instructions:
  1. Select CD/DVD (IDE)
  2. Device status: Check Connected
  3. Select the Use ISO image file
  4. Browse to where you saved the Helix iso.
    - Note: In my case, I save it in the following location:
    - G:\ISOs\Helix2008R1.iso
  5. Click the OK Button
Choose Language
- Command:
  1. Select English or desired language
  2. Click the Accept Button
Acquire Live Image (Part 1)
- Instructions:
  1. Click on the Camera
Acquire Live Image (Part 2)
- Instructions:
  1. Source: Select Physical Memory
  2. Location Options: Select NetCat
  3. Destination IP:
    - Replace 192.168.1.112 with the BackTrack IP Address you obtained in (Section 2, Step 8).
  4. Port: 8888
  5. Click the Acquire Button
Acquire Live Image (Part 3)
- Instructions:
  1. Click Yes
Acquire Live Image (Part 4)
- Note(FYI):
  1. You will see a message that physical memory is being copied.
  2. The Black Screen is close once the copy process if finished.

Section 5: Verify Image was copied to BackTrack

Explaining NetCat Messages
- Notes(FYI):
  1. The Red Arrow points to the message that occurs when the Helix Application connects to BackTrack's Netcat Listener.
  2. The Blue Arrow points to BackTrack's NetCat Session that display how many bytes were received from Helix's Memory Dump.

Section 6: Proof of Lab

Proof of Lab
- Instructions:
  1. cd /var/forensics/images
  2. ls -l *.dd
  3. date
  4. echo "Your Name"
- Proof of Lab Instructions
  1. Press the <Ctrl> and <Alt> key at the same time.
  2. Press the <PrtScn> key.
  3. Paste into a word document
  4. Upload to Moodle