The memory dump collected from a suspect machine not only contains artifacts related to the browser, but also all the activities that occurred on it. Analyzing RAM dump can help investigators find all details pertaining to the activities that an attacker has performed on the system using Tor Browser.
Lab Scenario
Forensic
investigators have seized a computer belonging to a drug trafficker who
is suspected of expanding his drug smuggling network through the dark
web. During investigation, it was found that the suspect had been using
Tor Browser on his system to engage in drug trafficking and its
expansion. To extract more information on the suspect’s activities
related to drug trafficking, investigators need to analyze the RAM dump
of his system so that it reveals all his activities on Tor Browser. The
artifacts obtained from the RAM dump can help the investigators extract
evidence that can be used to prosecute the suspect.
As a forensic investigator, you must know how to analyze the RAM dump of a suspect machine and retrieve Tor Browser artifacts.
Lab Objectives
The objective of this lab is to help you learn how to examine a RAM dump and recover potential artifacts pertaining to Tor Browser using the Bulk Extractor tool.
Lab Environment
A computer running Windows Server 2016 virtual machine
Administrative privileges to execute commands
A web browser with internet access
Download Browser Analysis Tools\Bulk Extractor
Note: You can download the latest version of Bulk Extractor from the link https://github.com/simsong/bulk_extractor/wiki/Downloads
If you are using the latest version of the software for this lab, then the steps and screenshots demonstrated in the lab might differ. Note: Make sure that Real Time Protection is disabled in Windows 10 virtual machine (if it is running) before beginning this lab.
Lab Duration Time: 40 minutes
Overview of the Lab
This lab familiarizes you with the process of analyzing a RAM dump containing Tor Browser artifacts with the help of Bulk Extractor.
Lab Tasks
1. Login to the Windows Server 2016 virtual machine.
2. Before
beginning the lab, we will create two folders named TOR Report (Browser
Opened) and TOR Report (Browser Closed) on the Desktop. These two
folders are going to serve as our case folders, which will store the Tor
Browser artifacts retrieved in the respective events of the browser
being open and closed.
3.
Double-click on bulk_extractor-1.5.5-windowsinstaller.exe to launch the
set-up and follow the wizard-driven installation steps to complete the
installation of Bulk Extractor.
4. Upon
completing the installation, launch the Bulk Extractor application from
the Start menu by clicking on the Start button (Windows icon) on the
task bar, as shown in the screenshot below:
5.
The main window of the application, i.e., Bulk Extractor Viewer will
open. Click the Generate a report using bulk_extractor icon, as shown in
the screenshot below
6. Now, Run bulk_extractor window will open, as shown in the screenshot
Note:
Reduce the height and adjust the position of the Run bulk_extractor
window manually in order to view the options specific to the tool
located at the bottom of the window.
7. Now,
we need to use the ellipsis buttons to browse the Image file and the
Output Feature Directory, as indicated in the screenshot below:
8. Upon clicking the ellipsis button against the Image File field, you will see the Image File to Extract Features From window. Navigate to C:\CHFI-Tools\Evidence Files\Forensic Images. From the Files of type drop-down, select All Files, then select the file TOR_Opened.mem, and then click Open to provide the Image File.
9. Similarly, upon clicking the ellipsis button against the Output Feature Directory field, you will see the Output Feature Directory window. Select Desktop, then select the TOR Report (Browser Opened) folder, and then click Select to provide the Output Feature Directory, as indicated in the screenshot below:
10. We have provided the Image File and Output Feature Directory, and their paths will be displayed in their respective fields, as shown in the screenshot below. Now, ensure that all options under the Scanners section are checked and then click Submit Run, as highlighted in the screenshot:
11. The bulk_extractor Scan window appears, where the input file is scanned. The progress of the scan and case creation can be seen in the window, as shown in the following screenshot:
12.
Upon the successful completion of the scan, go back to the Bulk
Extractor Viewer window. We will now begin investigating the Tor Browser
artifacts that were obtained when the browser was in an open state.
13.
Now, in the left pane of the application window, you will see the TOR
Report (Browser Opened) folder populated under the Reports section.
Click the folder to expand it and view its contents.
14. Select the domain.txt file to determine all website domains that were visited on the suspect machine’s Tor Browser. You will see several different domains listed under domain.txt. Upon scrolling down, we find numerous instances of the use of the mail.google.com domain, as seen in the screenshot below. This tells us that there were numerous instances of Gmail being used to exchange emails.
15.
Now, we will look for email IDs associated with Gmail as several
instances of mail.google.com under domain.txt have been located, as seen
in the screenshot above. To find the email IDs that have been recorded
in this memory dump file, i.e., TOR_Opened.mem, click on email.txt in
the left pane under the Reports section. You will see all email IDs
(including Gmail IDs) recorded on the memory dump, as highlighted in the
screenshot below:
16. From
the screenshot above, we can infer that there are multiple instances of
the use of a Gmail ID. For a demonstrative purpose, we have highlighted
the region where we see the Gmail ID jasoncreek2020@gmail.com in this
lab. In real-time, you might find instances wherein several email IDs
from Gmail or any other email service provider(s) have been recorded.
17.
Now, we will examine the contents of json.txt file. A JSON file stores
information on the data exchange that has taken place between a
browser/web application and a server. By examining the contents of the
json.txt file here, we can retrieve the details of email exchanges on
the browser (in this case, Tor Browser).
18.
Therefore, when you first click on json.txt (1), you will find several
entries in the Feature File section in the upper half of the middle pane
in the application window. Since we have found a number of entries
pertaining to the email ID jasoncreek2020@gmail.com previously under
email.txt, we are assuming that email ID belongs to a suspect user. As a
second step, enter jasoncreek2020@gmail.com in the Feature Filter field
(2) and press Enter to obtain the artifacts of email communication
related to the mentioned email ID under the Feature File section (3).
19. We need to carefully examine each of the entries obtained under the Feature File section as seen in the screenshot above to find the artifacts of malicious email communication. Upon carefully examining each entry by clicking on them, we can retrieve the artifacts of a malicious email communication.
Note: When you click on any entry, you can see the highlighted part related to the entry in the right pane of the window.
Note: A slightly enlarged view of the right pane of the window in the screenshot above has been presented below for improved readability.
Note: For
the purpose of demonstrative ease in this lab, and to save time, we
have confined our investigation to retrieving malicious email artifacts
that relate to the email ID jasoncreek2020@gmail.com (assuming it to be a
suspect email ID). In real-time, however, you might have to examine
email communication from several other email IDs in order to identify
the suspects or the suspect email IDs in a case. 20. From the above
screenshot, we can summarize our observations as follows:
A.
Email ID of the sender: jasoncreek2020@gmail.com B. Email ID of the
receiver: rinimatthews@gmail.com C. Subject of the email: Share the
Missile Codes
D. The body of the email: As discussed, I am sharing the codes for launching the missiles. You can find them in the attachment.
E. Attachment found in the email: Secret_Codes.txt
21. In this manner, we can retrieve the malicious email exchanges that took place through the Tor Browser.
22.
Now, we will retrieve the artifacts stored in url.txt file. The url.txt
will provide us information on all URLs that have been visited through
the suspect machine’s Tor Browser. Before moving to this task, ensure to
remove the jasoncreek2020@gmail.com filter from the Feature Filter
field, which we had applied for our previous task of finding email
artifacts from the json.txt file.
23.
Now, click on url.txt in the left pane of the application window under
the Reports section. The application will display all artifacts stored
in url.txt under the Feature File section, as displayed in the following
screenshot:
24. Now,
we will examine the artifacts stored in url_searches.txt. Examining the
artifacts of url_searches.txt will provide us information about all the
search queries that were made on the suspect machine’s Tor Browser.
25.
Click on url_searches.txt in the left pane of the application window
under the Reports section. All queries that have been searched on the
suspect machine’s Tor Browser will now be listed under the Histogram
File section in the upper half of the middle pane in the application
window, as indicated in the screenshot below:
26. In this manner, we can find URLs or content that have been browsed on the suspect machine’s Tor Browser.
27. Now, we will examine the Tor Browser artifacts obtained when the browser was in a closed state.
28. In the Bulk Extractor Viewer window, click on the Generate a report using bulk_extractor icon.
29. Run bulk_extractor window opens, as shown in the screenshot below:
30. Now, click on the ellipsis buttons to browse and provide the Image file and the Output Feature Directory, as indicated in the screenshot below:
31. Upon clicking the ellipsis button against the Image File field, the Image File to Extract Features From window will appear. Navigate to C:\CHFI-Tools\Evidence Files\Forensic Images. From the Files of type drop-down, select All Files, select the file TOR_Closed.mem, and then click Open to provide the Image File.
32. Similarly, upon clicking the ellipsis button against the Output Feature Directory field, you will see the Output Feature Directory window. Select Desktop, then select the TOR Report (Browser Closed) folder, and then click Select to provide the Output Feature Directory, as indicated in the screenshot below:
33. We have now provided the Image File and Output Feature Directory, and their paths will be displayed in their respective fields, as shown in the screenshot below. Now, ensure that all options under the Scanners section are checked, and then click on Submit Run, as highlighted in the screenshot:
34. The bulk_extractor Scan window appears where the input file
is scanned. The progress of the scan and case creation can be seen in
the window, as shown in the following screenshot
35. Upon the successful completion of the scan, go back to the
Bulk Extractor Viewer window. We will now be investigating the Tor
Browser artifacts that were obtained when the browser was in a closed
state. 36. Now, in the left pane of the application window, you will see
the TOR Report (Browser Closed) folder populated under the Reports
section. You may now collapse the previously expanded TOR Report
(Browser Opened) folder and expand the TOR Report (Browser Closed)
folder to view the contents stored under it. 37. We will begin our
forensic examination by first retrieving the information stored in
domain.txt.
38. Select the domain.txt file to determine all website domains that were visited on the suspect machine’s Tor Browser. You will see several different domains listed under the Feature File domain.txt section in the middle pane of the window. Upon scrolling down, we find numerous instances of the use of the mail.google.com domain, as seen in the screenshot below. This tells us about numerous instances where Gmail was used to exchange emails. Click/Select any of the instances of mail.google.com if you want to find any specific artifacts associated with it. The artifacts, if any, will appear in the right pane of the window.
39. Now, several instances of mail.google.com are listed under
domain.txt as seen in the screenshot above. We will look for email IDs
associated with Gmail. To find email IDs that have been recorded in this
memory dump file, i.e., TOR_Closed.mem, click on email.txt in the left
pane under the Reports section. You will see all email IDs (including
Gmail IDs) that have been recorded on the memory dump, as highlighted in
the screenshot below:
40. From the screenshot above, we can infer that there are multiple instances of the use of a Gmail ID. For a demonstrative purpose, in this lab, we have highlighted the region where we see multiple entries pertaining to the Gmail ID jasoncreek2020@gmail.com. In real-time, you might find instances wherein several different email IDs from Gmail or any other email service provider(s) have been recorded. 41. Now, we will examine the contents of json.txt file. Follow the same procedure as in the previous case of examining the contents of json.txt file for the Tor Browser Opened state. We will similarly use the email ID jasoncreek2020@gmail.com as a filter to obtain email messages related to the above-mentioned email ID, which is found to be malicious.
42. Therefore, first click on json.txt (1) in the left pane under the Reports section. As a second step, apply the mentioned email ID as a filter (2) to find the results related to it under the Feature File section (3), as indicated in the screenshot below:
43. We need to examine each of the entries obtained in the previous step to find artifacts of any malicious email communication. To examine the artifacts stored in an entry, select that entry. You will then be able to examine its artifacts in the right pane of the application window. 44. Now, upon carefully examining the entry highlighted under the Feature File section in the screenshot below, we find the artifacts of a malicious email communication:
Note: A slightly enlarged view of the right pane of the window seen in the screenshot above has been presented below for improved readability
45. From the above screenshot, we can summarize our findings as
follows: A. Sender’s email ID: jasoncreek2020@gmail.com B. Receiver’s
email ID: rinimatthews@gmail.com C. Subject of the email: Share the
Missile Codes D. Body of the email: As discussed, I am sharing the codes
for launching the missiles. You can find them in the attachment. E.
Attachment found in the email: Secret_Codes.txt 46. We will now examine
the artifacts stored in the url.txt file. Examining the artifacts of the
url.txt file will provide us information about the URLs visited through
the suspect machine’s Tor Browser. Before moving to this task, ensure
you remove the jasoncreek2020@gmail.com filter from the Feature Filter
field, which we had applied to our previous task of finding email
artifacts from the json.txt file.
47. Now, click on url.txt in the left pane of the application window under the Reports section. The application will list all URLs that have been visited through the suspect machine’s Tor Browser under the Feature File section, as indicated in the screenshot below:
48. We will now examine the artifacts stored in the
url_searches.txt file. url_searches.txt will provide us information on
all search queries made on the web through the Tor Browser. Therefore,
click on url_searches.txt. All the artifacts stored in url_searches.txt
will be displayed under the Histogram File section, as shown in the
screenshot below:
49. In this manner, you can examine the RAM dump from a suspect machine and retrieve various artifacts pertaining to Tor Browser Lab Analysis Analyze the result and document the findings of the lab.