Strange results using DD
I'm fairly new to the forensics scene so this may be a bit of a newbie question, but yesterday I wanted to play around with George Garner's modified version of DD to take a memory image of my work laptop.
Just before I did this, I opened up a command prompt and typed in a couple of keywords so that they would be held in memory. The idea was to then search for these keywords in the image file.
First I made the image of the RAM using the following
dd if=\\.\PhysicalMemory of=c\ram_image.img bs=4096
Then I used the 'strings' and 'grep' utilities to look for the keywords
strings ram_image.img | grep sex > results.txt
When I looked in the results.txt file, I found loads of kewords with the word 's*x' in it. There were url's to websites of a pornographic nature and various other words. I was really confused because the laptop is only three weeks old and I have never been to sites like that.
I then thought that maybe my machine had some spyware on it so I used Ad-Aware and SpyBot and found nothing apart from a couple of tracking cookies.
After speaking to a friend of mine, he suggested that the keywords I found in memory were possibly from my anti-virus software which makes perfect sense to me.
The reason I'm writting this is firstly to see what other people's thoughts on this are. Do you think it was the anti-virus software that contained these keywords? And secondly, if like me you didn't know about this, it could easily lead you down the wrong path if you were checking someones computer and found keywords like that.
First let me say that finding instances of keywords isn't enough to call it a forensic examination. Keyword searches just lead me into the files or areas that need deeper analysis. The word s*x could appear in any number of ways from baby documents to medical texts. So, you have to uncover the file, context and usage before keyword hits actually produce something. I think it's a large percentage of keyword hits on common words that turn out to be of no interest.
For example, if somebody keyworded this post it would find s*x, hits, words that could apply to sinister things or innocent things.
All that said, what a/v are you suing. I'd like to load it up check memory against it to see if that is indeed where they aroise from.
Thanks for that. There were hundreds of hits which contained the string 's*x' but I ignored all those.
I didn't really want to write the phrases that I found but they are definately of a pornographic website nature. A couple of examples are
favourites\toys for s*x.url
I also found the string in a load of virus names which is also why I thought it made sense that these are in the anti-virus software. A couple of these were
The anti-virus I am using is Sophos.
the .ocx is an activex control. looks like it came from a website or an event attached to a website.