ComputerSecurityStudent (CSS) [Login] [Join Now]




|FORENSICS >> HELIX >> Current Page |Views: 12307

(Helix: Lesson 4)

{ Dump Window's Physical Memory Using NetCat to BackTrack  }


Section 0. Background Information
  1. Helix3 is a Live CD built on top of Ubuntu. It focuses on incident response and computer forensics. According to Helix3 Support Forum, e-fense is no longer planning on updating the free version of Helix.
  2. Pre-Requisite Lesson  
  3. Lab Notes
    • In this lab we will do the following:
      1. Download Helix2008R1.iso
      2. Start Netcat Listener on BackTrack
      3. Open Notepad, Solitaire and Internet Explorer
      4. Acquired a physical memory dump from Damn Vulnerable WXP-SP2 using Helix.
      5. Use a Netcat Listener on BackTrack to Capture the Helix Memory Dump

  4. Next Lesson
  5. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

Section 1: Download Helix
  1. Open Firefox on your (Host Windows Machine).
    • Instructions:
      1. Click the Start Button
      2. Type "Firefox" in the search box
      3. Click on Mozilla Firefox

     

  2. Download Helix2008R1.iso
    • Instructions:
      1. Navigate to the following Link
        • http://helix.onofri.org/Helix2008R1.iso
      2. Click the Save File radio button
      3. Click the OK button

     

  3. Save Helix2008R1.iso
    • Instructions:
      1. Navigate the following Download Location
        • C:\ISOs or USB:\ISOs
        • Note: In my case, I am using a USB Drive (G:)
      2. File name: Helix2008R1
      3. Save as types: ISO Image File
      4. Click the Save button

     

Section 2: Start Up BackTrack Machine
  1. Open VMware Player on your (Host Windows Machine).
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  4. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  5. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  6. Bring up the GNOME
    • Instructions:
      1. Type startx

     

  7. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  8. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.112.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

     

  9. Start Up Netcat on BackTrack
    • Instructions:
      1. mkdir -p /var/forensics/images
        • If you have already Completed Autopsy Lesson 1, then this directory should already exist.
      2. cd /var/forensics/images
      3. nc -l -vvv -p 8888 > WV01_clean.dd
        • Netcat will listen for Helix to send the Memory Image.

 

Section 3: Start Up Damn Vulnerable WXP-SP2
  1. Open VMware Player on your (Host Windows Machine).
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Edit Virtual Machine Settings
    • Note:
      • Before beginning a lesson it is necessary to check the following VM settings.

     

  3. Set Network Adapter
    • Instructions:
      1. Click on Network Adapter
      2. Click on the radio button "Bridged: Connected directly to the physical network".
      3. Click the OK Button

     

  4. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Start Up your VMware Player
      2. Play virtual machine

     

  5. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Administrator
      2. Password: Supply Password
        •  (See Note)
      3. Press <Enter> or Click the Arrow
    • Note(FYI):
      1. Password was created in (Lab 1, Section 1, Step 8)

     

  6. Open the Command Prompt
    • Instructions:
      1. Click the Start Button
      2. All Programs --> Accessories --> Command Prompt

     

  7. Obtain Damn Vulnerable WXP-SP2's IP Address
    • Instructions:
      1. ipconfig
      2. Record Your IP Address
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
      • This is the IP Address of the Virtual Machine from which we will use Helix to capture a memory dump.
      • Do not close the command prompt.

     

Section 4: Start Up Notepad, Command Prompt, Solitaire & Internet Explorer
  1. Start Up NotePad
    • Instructions:
      1. Click the Start Button
      2. All Programs --> Accessories --> Notepad

     

  2. Start Up Solitaire
    • Instructions:
      1. Click the Start Button
      2. All Programs --> Games --> Solitaire

     

  3. Start Up Internet Explorer
    • Instructions:
      1. Click the Start Button
      2. All Programs --> Internet Explorer
      3. Navigate to http://www.cnn.com

     

  4. Verifying Applications
    • Note(FYI):
      • The following applications should be running:
        1. Command Prompt
        2. Notepad
        3. Solitaire
        4. Internet Explorer

 

Section 5: Loading Helix2008R1
  1. Edit Virtual Machine Settings
    • Instructions:
      1. Player --> Manage --> Virtual Machine Settings...

     

  2. Configure Windows to load the Helix iso as a CD/DVD
    • Instructions
      1. Select CD/DVD (IDE)
      2. Device status: Check Connected
      3. Select the Use ISO image file
      4. Browse to where you saved the Helix iso.
        • Note:  In my case, I save it in the following location:
        • G:\ISOs\Helix2008R1.iso
      5. Click the OK Button

     

  3. Choose Language
    • Command:
      1. Select English or desired language
      2. Click the Accept Button

     

  4. Acquire Live Image (Part 1)
    • Instructions:
      1. Click on the Camera

     

  5. Acquire Live Image (Part 2)
    • Instructions:
      1. Source: Select Physical Memory
      2. Location Options: Select NetCat
      3. Destination IP:
        • Replace 192.168.1.112 with the BackTrack IP Address you obtained in (Section 2, Step 8).
      4. Port: 8888
      5. Click the Acquire Button

     

  6. Acquire Live Image (Part 3)
    • Instructions:
      1. Click Yes

     

  7. Acquire Live Image (Part 4)
    • Note(FYI):
      1. You will see a message that physical memory is being copied.
      2. The Black Screen is close once the copy process if finished.

 

Section 5: Verify Image was copied to BackTrack
  1. Explaining NetCat Messages
    • Notes(FYI): 
      1. The Red Arrow points to the message that occurs when the Helix Application connects to BackTrack's Netcat Listener.
      2. The Blue Arrow points to BackTrack's NetCat Session that display how many bytes were received from Helix's Memory Dump.

 

Section 6: Proof of Lab
  1. Proof of Lab
    • Instructions
      1. cd /var/forensics/images
      2. ls -l *.dd
      3. date
      4. echo "Your Name"
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth