MF1.10 Interactive Lab — Baseline Capture and Analysis

Lab exercise — Windows baseline analysis

Run these commands against your Target-Win clean baseline image. Record the output in a document alongside your MF1.6 acquisition record.

Command 1 — System identification. vol -f target-win-clean-baseline.vmem windows.info. Confirm the Kernel Base, KernelFileVersion, SystemTime, and KeNumberProcessors match expectations. This is the reference for every subsequent windows.info run — you'll compare future captures against these specific values.

Command 2 — Process listing. vol -f target-win-clean-baseline.vmem windows.pslist. Record the full output. Count the total processes. Identify the core Windows process tree: System → smss → csrss, wininit → services → svchost instances, winlogon → dwm, explorer. The process tree on a clean Windows 11 system follows a predictable pattern — deviations from this pattern in MF2+ captures are the first indicator of compromise.

Command 3 — Network connections. vol -f target-win-clean-baseline.vmem windows.netscan. On a clean VM with no user activity, expect: system-level connections (svchost listening on standard ports), possibly Defender telemetry connections, and the host-only network adapter's DHCP/ARP traffic. Record every connection. In MF2+, any connection not in this baseline list is either new legitimate traffic or attacker C2 — the baseline tells you which is which.

Command 4 — Loaded DLLs. vol -f target-win-clean-baseline.vmem windows.dlllist --pid . Pick Explorer's PID from the pslist output and dump its loaded DLLs. The DLL list for Explorer on a clean system is your reference for detecting DLL injection (MF2) — an injected DLL appears in the compromised capture's dlllist but not in this baseline.

Lab exercise — Linux baseline analysis

Run these commands against your Target-Linux clean baseline image.

Command 1 — System identification. vol -f target-linux-clean-baseline.lime linux.banner. Confirm the kernel version matches uname -r from Target-Linux. This is the reference for every subsequent Linux analysis.

Command 2 — Process listing. vol -f target-linux-clean-baseline.lime linux.pslist. Record the full output. Identify the init system (systemd, PID 1) and the service tree. A clean Ubuntu 22.04 server runs SSH, systemd-journald, systemd-logind, and a handful of system services. The process count is typically 60-120.

Command 3 — Network connections. vol -f target-linux-clean-baseline.lime linux.sockstat. On a clean server, expect: sshd listening on port 22, systemd-resolved on port 53 (local DNS), and possibly DHCP client traffic. Record every listening socket and established connection.

Command 4 — Loaded kernel modules. vol -f target-linux-clean-baseline.lime linux.lsmod. Record the full module list. In MF7 (Linux Attack), an LKM rootkit appears as a new module in the compromised capture that doesn't exist in this baseline.

Self-validation before MF2

Before moving to MF2, confirm you have all of the following. Each item has a section reference if you need to go back.

You should have four files on your analysis workstation: target-win-clean-baseline.vmem (or .raw), target-linux-clean-baseline.lime (or .vmem), and their SHA-256 hashes recorded in your acquisition records.

You should have two VM snapshots: MF1-clean-baseline (Target-Win) and MF1-clean-baseline-linux (Target-Linux), both named and dated.

You should have two completed acquisition records (MF1.6 template) with all structural checks (MF1.6) and smear assessments (MF1.7) documented.

You should have the baseline analysis document from this lab with the output of core Volatility 3 commands against both images.

If any of these are missing, the specific sub that covers the gap is referenced above. Complete the gap before starting MF2 — the paid modules assume all four artifacts exist and are documented.