ComputerSecurityStudent (CSS) [Login] [Join Now]




|FORENSICS >> Lime Forensics >> Current Page |Views: 40802

(Lime Forensics: Lesson 1)

{ Capture Image From Metasploitable VM (Ubuntu 8.04) }


Section 0. Background Information
  1. Lime Forensics
    • LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
    • http://code.google.com/p/lime-forensics/

  2. Metasploitable 
  3. Pre-Requisite Lab  
  4. Caveats?
    • ADB is android tool, which allows a person to dump a line image through a TCP connection.
    • Unfortunately, I have not figured out how to use the "path=tcp:4444" option with Netcat for the Linux environment.

  5. Lab Notes
    • In this lab we will do the following:
      1. Prepare build the kernel source for the Ubuntu 8.04 VM.
      2. Download Lime Forensics.
      3. Compile Lime Forensics.
      4. Capture an Ubuntu 8.04 image using Lime Forensics

  6. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

 

Section 1. Start Up the Metasploitable VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the Metasploitable VM
    • Instructions:
      1. Navigate to where the Metasploitable VM is located
      2. Click on on the Metasploitable VM
      3. Click on the Open Button

     

  4. Edit the Metasploitable VM
    • Instructions:
      1. Select Metasploitable2-Linux VM
      2. Click Edit virtual machine settings

     

  5. Edit the Metasploitable VM
    • Instructions:
      1. Click on "Network Adapter NAT"
      2. Select the radio button "Bridged: Connected directly to the physical network"
      3. Click on the OK button
    • Warning:
      • By changing from NAT to Bridged opens the VM and network up to potential attacks.
      • To maintain a safe network, you could (1) skip this section and only use the host-only network, (2) unplug your router from the internet, (3) use an ACL to not allow traffic into your network, etc.

     

  6. Play the Metasploitable VM
    • Instructions:
      1. Click on the Metasploitable VM
      2. Click on Play virtual machine

 

Section 2. Determine Metasploitable IP Address
  1. Logging into Metasploitable
    • Instructions
      1. Username: msfadmin
      2. Password: msfadmin or whatever you changed it to in lesson 1.

     

  2. Change the msfadmin password
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • This is the IP Address of the Victim Machine.
      • My IP Address is 192.168.1.112.
      • Record your IP Address.

     

  3. Become Root
    • Instructions:
      1. sudo su -
      2. Supply The Password

 

Section 3. Prepare Environment
  1. Update apt-get's repository
    • Note(FYI):
      • Before we install any packages it is always a good idea to update Ubuntu's package repository.
    • Instructions:
      1. apt-get update

     

  2. Looking for kernel build directory
    • Instructions:
      1. cd /lib/modules/`uname -r`
      2. ls -la
    • Note(FYI):
      • Notice there is no build directory.
      • Most programs that need to be compiled will require special kernel files, libraries, and utilities which is located in the following directory:
        • /lib/modules/`uname -r`/build

     

  3. Installing kernel headers
    • Instructions:
      1. apt-cache search `uname -r` | grep header
      2. apt-get install linux-headers-2.6.24-16-server
      3. Do you want to continue [Y/n]? Y

     

  4. Verifying the build directory exists
    • Instructions:
      1. ls -ld /lib/modules/`uname -r`/build
    • Note(FYI):
      • Notice the build directory is really a symbolic link.

 

Section 4. Download and Compile Lime Forensics
  1. Download Lime Forensics
    • Instructions:
      1. mkdir -p /var/tmp/tools
      2. cd /var/tmp/tools
      3. wget http://lime-forensics.googlecode.com/files/lime-forensics-1.1-r14.tar.gz
      4. ls -l lime-forensics-1.1-r14.tar.gz

     

  2. Un-tar Lime Forensics
    • Instructions:
      1. tar zxovf lime-forensics-1.1-r14.tar.gz

     

  3. Compile Lime Forensics
    • Instructions:
      1. cd src
      2. make

 

Section 5. Create Lime Forensics Image
  1. Create Lime Forensics Image
    • Instructions:
      1. mkdir -p ../../images
      2. insmod lime-2.6.24-16-server.ko "path=/var/tmp/images/ram.lime format=lime"
      3. ls -l ../../images/ram.lime

     

Section 6. Start Up the BackTrack5R1 VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the BackTrack5R1 VM
    • Instructions:
      1. Navigate to where the BackTrack5R1 VM is located
      2. Click on on the BackTrack5R1 VM
      3. Click on the Open Button

     

  4. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  5. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  6. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  7. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  8. Bring up the GNOME
    • Instructions:
      1. Type startx

     

  9. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  10. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.108.
      • In your case, it will probably be different.

     

  11. Copy Over Lime Memory Dump
    • Note(FYI):
      • Replace 192.168.1.112 with your Metasploitable's IP Address obtained in (Section 2, Step 2)
    • Instructions:
      1. cat /dev/null > /root/.ssh/known_hosts
      2. mkdir -p /forensics/images
      3. cd /forensics/images/
      4. scp root@192.168.1.112:/var/tmp/images/ram.lime .
      5. yes
      6. Enter Metasploitable Root Password

     

Section 7. Proof of Lab
  1. Proof of Lab
    • Note(FYI):
      • Perform the below commands on the Metasploitable VM.
    • Proof of Lab Instructions
      1. ls -l /var/tmp/images/ram.lime
      2. date
      3. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
      4. Press the <Ctrl> and <Alt> key at the same time.
      5. Press the <PrtScn> key.
      6. Paste into a word document
      7. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth