Computer Forensics Report - FRS301 - FPT University

Computer Forensics Report
Team IA1161
Evidence Collector: Hoang Dinh Tuan
Investigator: Dao Nguyen Van Thanh, Lai Trung Minh Duc
Reporter: Lai Trung Minh Duc, Tran Long Nhat Phuong
01/02/18

Investigator Information
The following report was conducted by Team IA1161 in the following
process:
- Tuan is the evidence collector who received captured images from
Team IA1064 and presented to our investigator to deliver facts that
would seem relevant to the case. The evidence is verified to be
unaltered.
- Thanh is our main investigator who is responsible for taking the
evidence and doing necessary tasks to pursue the investigation. His
investigation process will be given details in the third section of this
report.
- Duc and Phuong are in charge of writing this report based on the
results from Thanh.
Case Description
In this project, we are given two image files capturing a suspected machine
from Team IA1164:
- Disk.001 – HDD captured image
- Memdump.mem – RAM capturedimage
We suspected that this machine might be attacked by Metasploit’s Payload
for unauthorizedaccess. We also tried to restore any deleted files for further
relevantdeduction.
Computer and Forensic Tool Statistics
The two files were collected at 01/02/18 8:27:03 AM when Tuan received
them from Team IA1164. Team IA1161 then started given responsibilities to
each member, once we settled and understood our missions, we began the
research andtesting. The files were tested usingVolatilityprovided by a Kali
machine and FTK Imager on Windows 7. These programs have been proven

by Mr. Nguyen Sieu Dang to provide valid and accurate results when
scanningand analyzinga system.

Investigation:
1. Check hash of file to ensure the file haven’t been altered.
2. Investigate HDD to explore any deleted file
As we can see, inside the investigatedHDD, we have several files. The
noticeable point here are two deleted file.
- 8498069.pdf was modified at 1/21/2018 10:06:57 AM
- VTP-Challenge VTP Configuration (1).pka was modified at 1/17/2017
11:29:32 AM
Restoring 2 files, what we have here is:

8498069.pdf is the tutorial of lab in CCNA
VTP-Challenge VTP Configuration (1).pka is the lab file of CCNA
Conclusion: After researchedthe HDD, we don’t find any remarkable point
that relevantto our suspect.
3. Investigate RAM.
By using the command [volatility -f memdump.mem imageinfo], we think
that the OperatingSystem of the suspected machine might be: Windows 7
or Windows Server 2008.

Here is some of our tables for Processes list and Network list:
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa80024b6740 System 4 0 88 555 ------ 0 2018-01-31 03:48:10 UTC+0000
0xfffffa8002fd8b30 smss.exe 244 4 2 29 ------ 0 2018-01-31 03:48:10 UTC+0000
0xfffffa800371cb30 csrss.exe 336 328 9 478 0 0 2018-01-31 03:48:21 UTC+0000
0xfffffa800373ab30 csrss.exe 388 380 10 296 1 0 2018-01-31 03:48:22 UTC+0000
0xfffffa8003742b30 wininit.exe 396 328 3 76 0 0 2018-01-31 03:48:22 UTC+0000
0xfffffa8003751b30 winlogon.exe 432 380 3 108 1 0 2018-01-31 03:48:22 UTC+0000
0xfffffa80037bb910 services.exe 492 396 7 215 0 0 2018-01-31 03:48:25 UTC+0000
0xfffffa80037cf910 lsass.exe 500 396 6 586 0 0 2018-01-31 03:48:26 UTC+0000
0xfffffa80037d5b30 lsm.exe 508 396 10 141 0 0 2018-01-31 03:48:26 UTC+0000
0xfffffa8003b1c470 svchost.exe 604 492 9 352 0 0 2018-01-31 03:48:30 UTC+0000
0xfffffa8003b3f060 vmacthlp.exe 664 492 3 54 0 0 2018-01-31 03:48:31 UTC+0000
0xfffffa8003b544a0 svchost.exe 708 492 8 274 0 0 2018-01-31 03:48:32 UTC+0000
0xfffffa8003b89630 svchost.exe 796 492 18 481 0 0 2018-01-31 03:48:33 UTC+0000
0xfffffa8003b9d060 svchost.exe 832 492 17 408 0 0 2018-01-31 03:48:34 UTC+0000
0xfffffa8003ba4780 svchost.exe 856 492 39 1040 0 0 2018-01-31 03:48:34 UTC+0000
0xfffffa8003bf6420 svchost.exe 1004 492 10 518 0 0 2018-01-31 03:48:36 UTC+0000
0xfffffa8003c3b630 svchost.exe 292 492 14 371 0 0 2018-01-31 03:48:38 UTC+0000
0xfffffa80036ff060 spoolsv.exe 1112 492 12 323 0 0 2018-01-31 03:48:40 UTC+0000
0xfffffa800370b060 svchost.exe 1148 492 17 308 0 0 2018-01-31 03:48:41 UTC+0000
0xfffffa80036aa060 svchost.exe 1300 492 16 243 0 0 2018-01-31 03:48:43 UTC+0000
0xfffffa800383e360 VGAuthService. 1420 492 3 88 0 0 2018-01-31 03:48:45 UTC+0000
0xfffffa80027a0b30 vmtoolsd.exe 1520 492 9 291 0 0 2018-01-31 03:48:49 UTC+0000
0xfffffa8002e83190 ManagementAgen 1548 492 10 92 0 0 2018-01-31 03:48:50 UTC+0000
0xfffffa8003d18b30 svchost.exe 1784 492 6 93 0 0 2018-01-31 03:48:53 UTC+0000
0xfffffa8003d84b30 svchost.exe 1812 492 5 101 0 0 2018-01-31 03:48:53 UTC+0000
0xfffffa8003806060 TPAutoConnSvc. 1996 492 9 131 0 0 2018-01-31 03:48:55 UTC+0000
0xfffffa8003e7bb30 WmiPrvSE.exe 1064 604 10 202 0 0 2018-01-31 03:48:58 UTC+0000

0xfffffa8003eae310 dllhost.exe 1488 492 13 189 0 0 2018-01-31 03:48:59 UTC+0000
0xfffffa800274db30 msdtc.exe 1192 492 12 144 0 0 2018-01-31 03:49:01 UTC+0000
0xfffffa80028a15b0 taskhost.exe 2276 492 8 156 1 0 2018-01-31 03:49:17 UTC+0000
0xfffffa80028d5060 dwm.exe 2340 832 5 124 1 0 2018-01-31 03:49:17 UTC+0000
0xfffffa8003f83b30 explorer.exe 2384 2316 32 839 1 0 2018-01-31 03:49:18 UTC+0000
0xfffffa8003f80b30 TPAutoConnect. 2392 1996 3 114 1 0 2018-01-31 03:49:18 UTC+0000
0xfffffa8003f885c0 conhost.exe 2412 388 1 34 1 0 2018-01-31 03:49:18 UTC+0000
0xfffffa800404b1c0 vmtoolsd.exe 2624 2384 5 205 1 0 2018-01-31 03:49:24 UTC+0000
0xfffffa8004732b30 SearchIndexer. 2780 492 13 720 0 0 2018-01-31 03:49:31 UTC+0000
0xfffffa80047971f0 wmpnetwk.exe 2880 492 9 211 0 0 2018-01-31 03:49:33 UTC+0000
0xfffffa800257fb30 svchost.exe 1736 492 14 383 0 0 2018-01-31 03:50:53 UTC+0000
0xfffffa8003b055c0 iexplore.exe 2576 2772 0 -------- 1 0 2018-01-31 03:54:14 UTC+0000 2018-01-31 03:54:33 UTC+0000
0xfffffa8003e35b30 notepad.exe 2664 2576 6 173 1 1 2018-01-31 03:54:30 UTC+0000
0xfffffa8003dc5220 iexplore.exe 2572 2772 0 -------- 1 0 2018-01-31 03:54:33 UTC+0000 2018-01-31 03:54:43 UTC+0000
0xfffffa8003f60060 notepad.exe 1160 2572 4 149 1 1 2018-01-31 03:54:40 UTC+0000
0xfffffa8003af5060 cmd.exe 2840 2664 1 37 1 1 2018-01-31 03:55:05 UTC+0000
0xfffffa8003f4e060 conhost.exe 1476 388 2 50 1 0 2018-01-31 03:55:05 UTC+0000
0xfffffa8003bfc060 notepad.exe 2296 2664 5 94 1 1 2018-01-31 03:55:16 UTC+0000
0xfffffa8003cec3a0 audiodg.exe 2124 796 5 122 0 0 2018-01-31 04:17:59 UTC+0000
0xfffffa800255f460 dd.exe 2524 2840 1 44 1 1 2018-01-31 04:19:14 UTC+0000
0xfffffa8003d27920 FTK Imager.exe 3000 2384 15 357 1 0 2018-01-31 04:19:55 UTC+0000
This Processes list is generatedwith the command: [volatility -f
memdump.mem pslist] in Kali Linux
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x7e470cf0 TCPv4 -:0 136.71.186.3:0 CLOSED 292 svchost.exe
0x7e651010 TCPv4 -:49173 104.16.91.188:80 CLOSED 292 svchost.exe
0x7e9fdcf0 TCPv4 -:49174 192.228.79.201:80 CLOSED 292 svchost.exe
0x7e6837d0 TCPv4 -:49175 192.168.198.254:80 CLOSED 292 svchost.exe
0x7e9697d0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 708 svchost.exe
0x7e96a880 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 708 svchost.exe
0x7e7642d0 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System
0x7e96a110 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 396 wininit.exe
0x7e96aef0 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 396 wininit.exe
0x7e9b3550 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 796 svchost.exe
0x7e9b4ef0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 796 svchost.exe
0x7ec98530 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 500 lsass.exe
0x7ecc24f0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 500 lsass.exe
0x7eca3520 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 856 svchost.exe
0x7eca42e0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 856 svchost.exe
0x7e75f420 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 492 services.exe

0x7e760240 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 492 services.exe
0x7e7d39e0 TCPv4 0.0.0.0:49157 0.0.0.0:0 LISTENING 1812 svchost.exe
0x7e7dc010 TCPv4 0.0.0.0:49157 0.0.0.0:0 LISTENING 1812 svchost.exe
0x7ea334a0 TCPv4 0.0.0.0:5357 0.0.0.0:0 LISTENING 4 System
0x7e48b1f0 TCPv4 127.0.0.1:15465 127.0.0.1:49176 ESTABLISHED 2296 notepad.exe
0x7e61d6a0 TCPv4 127.0.0.1:49176 127.0.0.1:15465 ESTABLISHED 2664 notepad.exe
0x7ea0f920 TCPv4 192.168.198.137:139 0.0.0.0:0 LISTENING 4 System
0x7e7e5cf0 TCPv4 192.168.198.137:49169 192.168.198.128:16480 ESTABLISHED 2576 iexplore.exe
0x7e6ac010 TCPv4 192.168.198.137:49172 192.168.198.128:16480 ESTABLISHED 2572 iexplore.exe
0x7e96a880 TCPv6 :::135 :::0 LISTENING 708 svchost.exe
0x7e7642d0 TCPv6 :::445 :::0 LISTENING 4 System
0x7e96a110 TCPv6 :::49152 :::0 LISTENING 396 wininit.exe
0x7e9b3550 TCPv6 :::49153 :::0 LISTENING 796 svchost.exe
0x7ecc24f0 TCPv6 :::49154 :::0 LISTENING 500 lsass.exe
0x7eca3520 TCPv6 :::49155 :::0 LISTENING 856 svchost.exe
0x7e760240 TCPv6 :::49156 :::0 LISTENING 492 services.exe
0x7e7dc010 TCPv6 :::49157 :::0 LISTENING 1812 svchost.exe
0x7ea334a0 TCPv6 :::5357 :::0 LISTENING 4 System
0x7e6833a0 TCPv6 -:445 ff02::16:49177 CLOSED 4 System
0x7e8fc760 TCPv6 -:49177 ff02::16:445 CLOSED 4 System
0x7e7dab50 UDPv4 0.0.0.0:0 *:* 1812 svchost.exe 2018-01-31 03:48:53 UTC+0000
0x7e7dc260 UDPv4 0.0.0.0:0 *:* 1812 svchost.exe 2018-01-31 03:48:53 UTC+0000
0x7ec9a6d0 UDPv4 0.0.0.0:0 *:* 292 svchost.exe 2018-01-31 03:48:39 UTC+0000
0x7ed34520 UDPv4 0.0.0.0:0 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000
0x7e46a910 UDPv4 0.0.0.0:3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000
0x7e47d3f0 UDPv4 0.0.0.0:3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000
0x7ededb20 UDPv4 0.0.0.0:3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000
0x7edfac80 UDPv4 0.0.0.0:3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000
0x7ea44160 UDPv4 0.0.0.0:4500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000
0x7ea54530 UDPv4 0.0.0.0:500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000
0x7ed421e0 UDPv4 0.0.0.0:500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000
0x7ec77370 UDPv4 0.0.0.0:5355 *:* 292 svchost.exe 2018-01-31 04:18:39 UTC+0000
0x7edd1580 UDPv4 0.0.0.0:5355 *:* 292 svchost.exe 2018-01-31 04:18:39 UTC+0000
0x7e9487b0 UDPv4 0.0.0.0:64447 *:* 1300 svchost.exe 2018-01-31 03:48:46 UTC+0000
0x7e6b1840 UDPv4 0.0.0.0:64448 *:* 1300 svchost.exe 2018-01-31 03:48:46 UTC+0000
0x7dae3290 UDPv4 127.0.0.1:1900 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000
0x7dadc9a0 UDPv4 127.0.0.1:53599 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000
0x7ede19b0 UDPv4 192.168.198.137:137 *:* 4 System 2018-01-31 03:48:39 UTC+0000
0x7eddf9b0 UDPv4 192.168.198.137:138 *:* 4 System 2018-01-31 03:48:39 UTC+0000

0x7dae3950 UDPv4 192.168.198.137:1900 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000
0x7daddec0 UDPv4 192.168.198.137:53598 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000
0x7e7dc260 UDPv6 :::0 *:* 1812 svchost.exe 2018-01-31 03:48:53 UTC+0000
0x7ec9a6d0 UDPv6 :::0 *:* 292 svchost.exe 2018-01-31 03:48:39 UTC+0000
0x7ed34520 UDPv6 :::0 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000
0x7e46a910 UDPv6 :::3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000
0x7e47d3f0 UDPv6 :::3702 *:* 1300 svchost.exe 2018-01-31 03:48:57 UTC+0000
0x7ed42010 UDPv6 :::4500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000
0x7ea54530 UDPv6 :::500 *:* 856 svchost.exe 2018-01-31 03:48:44 UTC+0000
0x7edd1580 UDPv6 :::5355 *:* 292 svchost.exe 2018-01-31 04:18:39 UTC+0000
0x7e6b1840 UDPv6 :::64448 *:* 1300 svchost.exe 2018-01-31 03:48:46 UTC+0000
0x7dae3010 UDPv6 ::1:1900 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000
0x7dadeec0 UDPv6 ::1:53597 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000
0x7dae1bb0 UDPv6 fe80::a9f7:b885:9ff3:ea5e:1900 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000
0x7dadf760 UDPv6 fe80::a9f7:b885:9ff3:ea5e:53596 *:* 1300 svchost.exe 2018-01-31 03:49:50 UTC+0000
0x7f5a5350 UDPv6 fe80::a9f7:b885:9ff3:ea5e:546 *:* 796 svchost.exe 2018-01-31 04:17:06 UTC+0000
This Processes list is generatedwith the command: [volatility -f
memdump.mem netscan] in Kali Linux
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa8003f83b30:explorer.exe 2384 2316 32 839 2018-01-31 03:49:18UTC+0000
. 0xfffffa800404b1c0:vmtoolsd.exe 2624 2384 5 205 2018-01-31 03:49:24UTC+0000
. 0xfffffa8003d27920:FTKImager.exe 3000 2384 15 357 2018-01-31 04:19:55UTC+0000
0xfffffa800373ab30:csrss.exe 388 380 10 296 2018-01-31 03:48:22UTC+0000
. 0xfffffa8003f4e060:conhost.exe 1476 388 2 50 2018-01-31 03:55:05UTC+0000
. 0xfffffa8003f885c0:conhost.exe 2412 388 1 34 2018-01-31 03:49:18UTC+0000
0xfffffa8003751b30:winlogon.exe 432 380 3 108 2018-01-31 03:48:22UTC+0000
0xfffffa8003b055c0:iexplore.exe 2576 2772 0 ------ 2018-01-31 03:54:14UTC+0000
. 0xfffffa8003e35b30:notepad.exe 2664 2576 6 173 2018-01-31 03:54:30UTC+0000
.. 0xfffffa8003af5060:cmd.exe 2840 2664 1 37 2018-01-31 03:55:05UTC+0000
... 0xfffffa800255f460:dd.exe 2524 2840 1 44 2018-01-31 04:19:14UTC+0000
.. 0xfffffa8003bfc060:notepad.exe 2296 2664 5 94 2018-01-31 03:55:16UTC+0000
0xfffffa8003dc5220:iexplore.exe 2572 2772 0 ------ 2018-01-31 03:54:33UTC+0000
. 0xfffffa8003f60060:notepad.exe 1160 2572 4 149 2018-01-31 03:54:40UTC+0000
0xfffffa8003742b30:wininit.exe 396 328 3 76 2018-01-31 03:48:22UTC+0000
. 0xfffffa80037bb910:services.exe 492 396 7 215 2018-01-31 03:48:25UTC+0000
.. 0xfffffa80036ff060:spoolsv.exe 1112 492 12 323 2018-01-31 03:48:40UTC+0000
.. 0xfffffa80036aa060:svchost.exe 1300 492 16 243 2018-01-31 03:48:43UTC+0000
.. 0xfffffa8003b3f060:vmacthlp.exe 664 492 3 54 2018-01-31 03:48:31UTC+0000
.. 0xfffffa8003b89630:svchost.exe 796 492 18 481 2018-01-31 03:48:33UTC+0000

... 0xfffffa8003cec3a0:audiodg.exe 2124 796 5 122 2018-01-31 04:17:59UTC+0000
.. 0xfffffa8002e83190:ManagementAgen 1548 492 10 92 2018-01-31 03:48:50UTC+0000
.. 0xfffffa8003c3b630:svchost.exe 292 492 14 371 2018-01-31 03:48:38UTC+0000
.. 0xfffffa8004732b30:SearchIndexer. 2780 492 13 720 2018-01-31 03:49:31UTC+0000
.. 0xfffffa8003b9d060:svchost.exe 832 492 17 408 2018-01-31 03:48:34UTC+0000
... 0xfffffa80028d5060:dwm.exe 2340 832 5 124 2018-01-31 03:49:17UTC+0000
.. 0xfffffa8003b544a0:svchost.exe 708 492 8 274 2018-01-31 03:48:32UTC+0000
.. 0xfffffa800257fb30:svchost.exe 1736 492 14 383 2018-01-31 03:50:53UTC+0000
.. 0xfffffa800383e360:VGAuthService. 1420 492 3 88 2018-01-31 03:48:45UTC+0000
.. 0xfffffa8003806060:TPAutoConnSvc. 1996 492 9 131 2018-01-31 03:48:55UTC+0000
... 0xfffffa8003f80b30:TPAutoConnect. 2392 1996 3 114 2018-01-31 03:49:18UTC+0000
.. 0xfffffa8003ba4780:svchost.exe 856 492 39 1040 2018-01-31 03:48:34UTC+0000
.. 0xfffffa8003b1c470:svchost.exe 604 492 9 352 2018-01-31 03:48:30UTC+0000
... 0xfffffa8003e7bb30:WmiPrvSE.exe 1064 604 10 202 2018-01-31 03:48:58UTC+0000
.. 0xfffffa8003eae310:dllhost.exe 1488 492 13 189 2018-01-31 03:48:59UTC+0000
.. 0xfffffa80047971f0:wmpnetwk.exe 2880 492 9 211 2018-01-31 03:49:33UTC+0000
.. 0xfffffa80028a15b0:taskhost.exe 2276 492 8 156 2018-01-31 03:49:17UTC+0000
.. 0xfffffa8003bf6420:svchost.exe 1004 492 10 518 2018-01-31 03:48:36UTC+0000
.. 0xfffffa80027a0b30:vmtoolsd.exe 1520 492 9 291 2018-01-31 03:48:49UTC+0000
.. 0xfffffa800274db30:msdtc.exe 1192 492 12 144 2018-01-31 03:49:01UTC+0000
.. 0xfffffa8003d18b30:svchost.exe 1784 492 6 93 2018-01-31 03:48:53UTC+0000
.. 0xfffffa8003d84b30:svchost.exe 1812 492 5 101 2018-01-31 03:48:53UTC+0000
.. 0xfffffa800370b060:svchost.exe 1148 492 17 308 2018-01-31 03:48:41UTC+0000
. 0xfffffa80037d5b30:lsm.exe 508 396 10 141 2018-01-31 03:48:26UTC+0000
. 0xfffffa80037cf910:lsass.exe 500 396 6 586 2018-01-31 03:48:26UTC+0000
0xfffffa800371cb30:csrss.exe 336 328 9 478 2018-01-31 03:48:21UTC+0000
0xfffffa80024b6740:System 4 0 88 555 2018-01-31 03:48:10UTC+0000
. 0xfffffa8002fd8b30:smss.exe 244 4 2 29 2018-01-31 03:48:10UTC+0000
This Processes Tree list is generatedwith the command: [volatility -f
memdump.mem pstree] in Kali Linux.
After collectingthose lists, we use Excel 2016 for analyzing, sorting, finding
the data.
Looking at the Processes list, we see some noticeable process:
- 3 processes of notepad.exe
- 2 processes of iexplorer.exe
o And only two of them has exited time.
- 1 process of cmd.exe

- 1 process of FTK Imager.exe
- Many of system processes (svhosts.exe)
Looking at the Network list, we also see some noticeable connections too:
- Most of the connection were made by the system with the source IP:
0.0.0.0 and the destination IP also 0.0.0.0. They are also in the status
of LISTENING
- There are 4 weirdconnections because their status is ESTABLISHED.
Offset(P) Proto Local Address Foreign Address State Pid Owner
0x7e48b1f0 TCPv4 127.0.0.1:15465 127.0.0.1:49176 ESTABLISHED 2296 notepad.exe
0x7e61d6a0 TCPv4 127.0.0.1:49176 127.0.0.1:15465 ESTABLISHED 2664 notepad.exe
0x7e7e5cf0 TCPv4 192.168.198.137:49169 192.168.198.128:16480 ESTABLISHED 2576 iexplore.exe
0x7e6ac010 TCPv4 192.168.198.137:49172 192.168.198.128:16480 ESTABLISHED 2572 iexplore.exe
We get into 2 questions:
- Why does notepad.exe need to established the connection to
loopback address, and two processes seem communicate to each
other?
- Why does iexplorer.exe connectto the weirdURL with weird port like
that (16480)? Normally, people should access to the website via port
80/443.
Looking at the Process tree, we see:
0xfffffa8003b055c0:iexplore.exe 2576 2772 0 ------ 2018-01-31 03:54:14UTC+0000
. 0xfffffa8003e35b30:notepad.exe 2664 2576 6 173 2018-01-31 03:54:30UTC+0000
.. 0xfffffa8003af5060:cmd.exe 2840 2664 1 37 2018-01-31 03:55:05UTC+0000
... 0xfffffa800255f460:dd.exe 2524 2840 1 44 2018-01-31 04:19:14UTC+0000
.. 0xfffffa8003bfc060:notepad.exe 2296 2664 5 94 2018-01-31 03:55:16UTC+0000
0xfffffa8003dc5220:iexplore.exe 2572 2772 0 ------ 2018-01-31 03:54:33UTC+0000
. 0xfffffa8003f60060:notepad.exe 1160 2572 4 149 2018-01-31 03:54:40UTC+0000
- IExplore.exe has many child processes like notepad.exe, cmd.exe and
dd.exe. This is truly weird.
Conclusion:

From the analysis above, we think that this computer was unauthorized
access because of the security problem of InternetExplorer on Windows 7.
The attacker might use:
- MS11_003_ie_css_importexploit
- …
We also think that they might use the cmd.exe for their exploringcommand
line, and the dd.exe for capturingin the computer.

Computer Forensics Report - FRS301 - FPT University

More Related Content

Similar to Computer Forensics Report - FRS301 - FPT University (20)

More from Duc Lai Trung Minh (20)

Recently uploaded (20)

Computer Forensics Report - FRS301 - FPT University