FIT3168 IT forensics – S2 2023
To complete this assessment you need to download the following memory dump file which is available via google drive. Please note that you must be logged in with your Monash email account on the browser you are using for this quiz to access the google drive. Make sure you are logged out of all your personal google accounts if you encounter a request access page.
Link to Memory Dump file
The SHA256 hash of the compressed file is
Important Note: Various parts of the process of creating the Memory Dump file are randomised. Any similarity in names, domains, and/or IP addresses of the randomaised or emulated content with any real world name, domain, and or IP address is coincidental.
A user has used a Windows 11 OS hosted as a VirtualBox virtual machine and has performed several activities. The virtual machine is paused and its memory is dumpped. Your task in each section is to perform memory forensics analysis and recover relevant information to that particular activity.
Task 1: Inspecting user’s browsing activities
Subtask 1.1: MSEdge
a.1) The user has used Microsoft Edge browser to visit some websites. Select the visited website from the following list [2 Marks]:
www.abc.net.au www.bloomberg.com www.cbsnews.com www.coursera.org www.thisiscolossal.com www.presstv.ir www.thesun.co.uk www.cnbc.com www.rottentomatoes.com
a.2) Select one Process ID related to the above visited website (multiple correct answers are possible, you can select only one) [1 Marks]:
b.1) The user has also searched the web using a search engine in MSEdge browser. Select the used search engine from the following list
Bing WebCrawler DuckDuckGo Rumble Excite Youtube Yandex
Ecosia Google Brave Search
b.2) Select one of the user’s searches from the following list: [2 Marks]:
detect an attacker in your network
What are the potential risks of AI in terms of privacy
who ate my cheese
How does big pharma handle drug pricing and accessibility
what is a colour revolution prepare memory forensics what France did in Africa who runs the world
how to buy fireworks
b.3) Select one Process ID related to the above search from the following list (multiple correct answers are possible, you can select only one) [1 Marks]:
Subtask 1.2: Tor
a.1) The user has used Tor browser to visit some websites. Select the visited website from the following list [2 Marks]:
www.presstv.ir www.globo.com www.bbc.com www.nbcnews.com www.wolframalpha.com www.facebook.com/heraldsun archive.org
www.cnbc.com www.rottentomatoes.com
a.2) Select the Process ID related to the above visited website (multiple correct answers are possible, you can select only one) [1 Marks]:
b.1) The user has also searched the web using a search engine in Tor browser. Select one of the user’s searches from the following list [2 Marks]:
change my password
What is the impact of AI on job automation what British did in China
where to buy dragons
is santa real
usa military bases
find my phone
why USA promotes war
what is ethereum
b.2) Select the Process ID related to the above search from the following list (multiple correct answers are possible, you can select only one) [1 Marks]:
Task 2: Inspecting Notepad Text Editor activities
a.1) The user has used Microsoft Notepad text editor to open C:\Users\Sepehr\Documents\my_customers.txt file containing a list of 6 names. The user has then edited the file by searching and removing one name from the list. After inspection (e.g. Disk-based forensics) the following five names are found in the file:
Froylan Joseph, Yennifer Mccann, Jakari Dodson, Kao Kent, Hyab Sullivan.
Find the removed name and enter it here: [4
a.2) Select the PID of the process where you
found the name [1 Marks]: 10904
b.1) The user has openned a new tab in Notepad and entered some text. The entered text in the editor has not been saved to any file. Part of the entered text is 16 hex digits followed by the word “Flag” without any spaces. For example ################Flag where each # represents a hex digit. Enter this exact value here [4 Mark(s)]:
b.2) Select the PID of the process where you found the value [1 Marks]:
Task 3: Malicious Activity 1
The user has run an executable file from a mapped network drive that starts a reverse shell to a malicious server.
a) Find the name of the malicious executable [2 Mark(s)]:
b) Enter the PID of this malicious process created after execution of the above executable [2 Mark(s)]:
c) Dump the malicious executable and generate its SHA256 hash. Select the computed hash from the following list: [2 Marks]:
F9922D7D27A77AE66E7CA10DA655DAF374B39
342016EE021A220C032E174389A764F2C4ED53
06E460767A09F4B70302E778D31C813CB31BB8
DA0AA9503C1494B676CC0661DBC89EC2FEFD3
EF7771787287BD567CEF081BE1DF5AA7246EBA
0CEF166FE62AF224588736CAC843E46BE04431
7E6334C097AA36DEB55BDE82D63576BCC6450
D08CDDD1EE90AEA35DBF34D4D5514E405BC21
6AB73F52F668DBB0A0E96FE95247D730DFB83E
922D3DE0BDC152C8A15664C78C6A3B36C4779
d) Find the drive letter for the mapped network
share [2 Marks]:
e) The network share is provided by a Samba server, a server running a network file sharing protocol based on Microsoft SMB implemented in Linux OS. The network share is mapped to a drive letter using a command. Find the IP address of the server, the username, and the password used to map the network drive. e.1) IP address of the server [2 Mark(s)]:
e.2) Username [2 Mark(s)]: e.3) Password [2 Mark(s)]:
f) Find the IP address and the port number of the malicious server used for reverse shell connection.
f.1) IP address [2 Mark(s)]:
f.2) Port number [2 Mark(s)]:
g) The malicious server creates a new folder inside Documents folder of the user and uploads a new malicious executable.
g.1) The new folder name [2 Mark(s)]:
g.2) Filename of the uploaded executable [2 Mark(s)]:
Task 4: Malicious Activity 2
The user has downloaded a malicious executable from a website and has run the file. a) Find the URL of the website and the filename. a.1) URL (excluding the filename) [2 Mark(s)]:
a.2) Filename (as downloaded with all the extensions) [2 Mark(s)]:
b) Find the PID of the malicious process: [2 Mark(s)]:
c) The malicious process creates a reverse shell to a malicious server. Find the IP address and the port number of the malicious server. c.1) IP address [4 Mark(s)]: