ComputerSecurityStudent (CSS) [Login] [Join Now]

|FORENSICS >> HELIX >> Current Page |Views: 16675


{ Dump Window's Physical Memory to Netcat  }

Section 0. Background Information
  • Helix3 is a Live CD built on top of Ubuntu. It focuses on incident response and computer forensics. According to Helix3 Support Forum, e-fense is no longer planning on updating the free version of Helix.
  • See


  • In this lab, you will learn how to make a copy the memory of a Window Server's over the network to another server running netcat.
Section 1. Pre-requisites
  1. Lab 1 - Helix: Getting Started
  2. Lab 2 - Create a Helix Independent Server


Section 2. Logging Into TargetHelix01
  1. Booting up Helix
    • Instructions:
      1. Select TargetHelix01
      2. Play Virtual Machine
  2. Logging into Helix
    • Command:
      1. Login with your the username and password you created earlier.
      2. In my case, I create a username called "student".


  3. How to become root
    • Command:
      1. sudo su -
      2. Enter your current password for the account your logged in as.


  4. Determine IP Address
    • Command:
      1. ifconfig -a
    • Note:
      • In my case, my IP address is
      • You will use this IP address for your Netcat server.


  5. Setting Up Netcat
    • Command:
      1. mkdir -p /images
      2. cd /images
      3. nc -l -vvv -p 8888 > image.bin



Section 3. Logging Into TargetHelix01
  1. Edit the WindowsVulnerable01 virtual machine. (See Below)
    • Note: For those of you that don't have access to class material, this can be Windows XP, 2000, 2003 and 7.


  2. Configure Windows to boot off of Helix
    • Instructions
      1. Select CD/DVD (IDE)
      2. Select the Use ISO image file
      3. Browse to where you saved the Helix iso.
      • Note:  In my case, I save it in the following location:
      • H:\BOOT ISO\Helix2008R1.iso


  3. Play the Virtual Machine
    • Select Play Virtual Machine


  4. Booting from the ISO
    • At the same time, Click the right mouse key and the press the ESC button, when the screen starts to change to the VMware screen below.
    • Note: This might take you a few times so be patient!!!


  5. Boot Menu Selection
    • Command:
      1. Select CD-ROW Drive
      2. Press Enter


  6. Booting from Helix Options
    • Instructions:
      • Boot into the Helix Live CD
        • This will take you into a knoppix/linux operating systems.
        • Unfortunately, VMware seems to not allow mouse clicks. 
        • In the future, I will experiment with VirtualBox to see if the same issue is present.
      • Boot from first hard disk
        • Select this option.
        • This will allow you to run the Helix CD from Windows.


  7. Log into your Windows Machine
    • Instructions:
      • Its probably a good idea to long in with an administrator account to ensure you can run the Helix CD.


Section 4. Starting Helix and Acquire Image on WindowsVulnerable01
  1. Open Up My Computer
    • Command:  Start --> My Computer


  2. Starting Up Helix
    • Command
      • Right Click on Helix2008R1
      • Click on AutoPlay


  3. Select Language
    • Command:
      • Select English
      • Click Accept


  4. Live Memory Acquisition
    • Command:
      1. Click on the Camera
      2. Select \\Physical Memory
        • You have the option of acquiring the entire disk as well.
      3. Location Options:  Netcat
      4. Destination IP:
        • Note: This is the IP Address of the Helix Server found in(Section 2, Step 4)
      5. Port: 8888
      6. Acquire


  5. Notice
    • Command: Yes


  6. So what is going on?
    • Note:
      • Your physical memory is now being copied to the Helix server.
      • This will take between 5 to 10 minutes depending your system and network resources.
    • Next Steps:
      • Once the copy completes, the Black cmd.exe screen will close.
      • Once the screen closes, then move on to the next section.


Section 5. Verifying Image Copy on the Helix Server
  1. On your Helix Server
    • Note:  Once the copy completes on WindowsVulnerable01, you will see a similar received message "rcvd  536866816".


  2. Verifying your Image
    • Proof of Lab
    • Command
      1. cd /images
      2. ls -lrta
      3. Do a Print Screen, Paste into a Word Document, Upload to Moodle.



Section: Proof of Lab
  1. Cut and Paste a screen shot found in Section 5, Step 2 in a word and upload to Moodle. 


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth