FRS301 - LAB 4B

Quách Hoàng Nam - SE161409 - IA1705

Start Your Windows Machine

Launch your Windows machine. If necessary, log in as Administrator with the password P@ssw0rd
If you are given a choice, start it with the full RAM, not the reduced amount.
There should be a memdump.mem file on your Windows desktop. Drag it out of the virtual machine
and drop it on the host Windows Server 2008 machine's desktop.
When the copy finishes, close the Windows virtual machine.

Start Your Kali Linux Machine

You may find it helpful to add RAM to your Kali Linux virtual machine to make it faster. I increased
mine to 2 GB.
Launch your Kali Linux machine. If necessary, log in as kali with the password kali
Drag the memdump.mem file from your Windows 10 or Windows 11 host machine's desktop and
drop it on your Kali Linux desktop.
Note: the VMware Tools copy process is buggy and sometimes fails to copy the entire file.
You may see an error message and have to click "Retry".

Running Bulk Extractor

In your Kali Linux machine, open a Terminal window and execute these commands:
cd
cd Desktop
ls -l
Note that the last command is "LS -L" in lowercase.
You should see the memdump.mem file, which should be approximately 500 MB in size, as shown
below.
In your Kali Linux machine, in a Terminal window, execute this command:
bulk_extractor -o bulk -e wordlist memdump.mem
If you see a message saying "xml is inconsistent at line 142," that means the output folder already
exists.
To fix it, replace "-o bulk" with "-o bulk2".
This tells Bulk Extractor to gather data from the memdump file, put the results in a folder named
"bulk", and compile a wordlist of all readable strings.
Bulk Extractor will take several minutes to run and output progress messages, as shown below:
Viewing the Results
In the Terminal window, execute these commands:
cd bulk
ls -l
You see the files Bulk Extractor created, finding IP addresses, domains, emails, and many other things,
as shown below:
Domain Names
In the Terminal window, execute this command:
nano domain_histogram.txt
You see the domains visited on this computer, and the number of times each was visited, as shown
below:
Press Ctrl+X to close nano.

Telephone Numbers
In the Terminal window, execute this command:
nano telephone_histogram.txt
You should see your phone number, as you entered it in the form AccessData required you to fill out to
download FTK Imager.
Press Ctrl+X to close nano.
Credit Card Numbers
In the Terminal window, execute this command:
nano ccn_histogram.txt
You see the credit card numbers found, as shown below:
Word List
In the Terminal window, execute this command:
nano wordlist.txt
You see the words found, and the number of times each word was found. This list is useful as a
dictionary when cracking encrypted files or folders.
Email Addresses
In the Terminal window, execute this command:
nano email_histogram.txt
You see the email addresses used on this computer, and the number of times each was visited. Scroll
down and find your own email address, as shown below: