A memory image was taken from a seized Windows machine. Analyze the image and answer the provided questions.
Information
Category Name: Brave
Files: c49-AfricanFalls2.zip 1.2 GB
– 20210430-Win10Home-20H2-64bit-memdump.mem 4.5G
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/Brave && cd Documents/CyberDefenders/Brave
Download it from the Cyber Defenders and verify the file with sha1sum:
sha1sum /path/to/c49-AfricanFalls2.zipSHA1: fa02a505471aeb89172f89cb27dd4e2eea14bb9e
Then extract it with the provided the password
Volatility 3 Verify with (if you are using a Remnux/SIFT VM):
vol3 -h
Walkthrough
1. What time was the RAM image acquired according to the suspect system?
(YYYY-MM-DD HH:MM:SS)
To get the basic information about a memory dump, volatility3 has a plugin called ‘windows.info.Info’:
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.info.Info
Answer: 2021-04-30 17:52:19
2. What is the SHA256 hash value of the RAM image?
Using sha256sum:
sha256sum 20210430-Win10Home-20H2-64bit-memdump.mem
Answer: 9db01b1e7b19a3b2113bfb65e860fffd7a1630bdf2b18613d206ebf2aa0ea172
3. What is the process ID of "brave.exe"?
Using the pslist plugin:
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pslist.PsList
The first number is the process ID and the second number is the Parent’s process ID.
Answer: 4856
4. How many established network connections were there at the time of acquisition? (number)
Network information can be found with the netscan plugin. To filter for established connections, we can use grep on the output like so:
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.netscan.NetScan | grep 'ESTABLISHED'
There were ten established connections at the time of acquisition.
Answer: 10
5. What FQDN does Chrome have an established network connection with?
From the answer above, Chrome had only one established connection with the Foreign Address 185.70.41.130.
Looking up this address in IPAddresses, it shows it belongs to Proton AG in Switzerland, the domain name being protonmail.ch.
Answer: protonmail.ch
6. What is the MD5 hash value of process memory for PID 6988?
You can dump processes with volatility using the pslist plugin and adding a –dump flag at the end. First you must specify an output directory and then dump the process.
mkdir pid6988
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem -o pid6988/ windows.pslist.PsList --pid 6988 --dump
Now we just need to calculate its MD5 hash value:
md5sum pid6988/pid.6988.0x1c0000.dmp
Answer: 0b493d8e26f03ccd2060e0be85f430af
7. What is the word starting at offset 0x45BE876 with a length of 6 bytes?
Using xxd and the –seek option to specify the starting offset:
xxd --seek 0x45BE876 20210430-Win10Home-20H2-64bit-memdump.mem | less
The first 6 bytes at this offset are ‘hacker’ in ASCII representation.
Answer: hacker
8. What is the creation date and time of the parent process of "powershell.exe"? (YYYY-MM-DD HH:MM:SS)
To see the process hierarchy, Volatility3 has the pstree plugin:
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pstree.PsTree
The parent PID is 4352, which is explorer.exe. Its PID was created on 2021-04-30 at 17:39:48.
Answer: 2021-04-30 17:39:48
9. What is the full path and name of the last file opened in notepad?
There are multiple ways to solve the answer. The first way, is to use the command line plugin.
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.cmdline.CmdLine | grep notepad
From my understanding, all the stuff you do, and all the programs you execute on Windows are first executed via ‘cmd.exe’. Here, we can see that notepad opened a file called ‘accountNum’:
Another way to find what is the last file opened by notepad is by dumping the process memory:
Using the pslist plugin, you can find that the PID of notepad.exe is 2520:
Dumping the process with the pslist plugin (like in question 6) wouldn’t give us the juicy data we are looking for. The pslist plugin dumps the actual executable/process. To dump the whole data and memory associated with it (memory resident pages in fancy terms), we should use the memmap plugin.
mkdir notepad
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem -o notepad/ windows.memmap.Memmap --pid 2520 --dump
From previous CTFs, I remembered that the last stuff written in Notepad.exe can be found with ‘strings’. Moreover, the act of opening a file is recorded as “C:\path\to\executable\” filename:
strings notepad/pid.2520.dmp | grep 'NOTEPAD.EXE'
The first line is our answer!
Answer: C:\Users\JOHNDO~1\AppData\Local\Temp\7zO4FB31F24\accountNum
10. How long did the suspect use Brave browser? (hh:mm:ss)
My first instinct was to look at the pslist plugin’s CreateTime and ExitTime for brave.exe. But I was awfully wrong:
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pslist.PsList --pid 4856
Registry keys provide a lot more detailed information about process executions. The userassist plugin parses the ntuser.dat hive, which will provide the actual time the Brave user was used:
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.registry.userassist.UserAssist
The UserAssist key shows the actual length of time Brave was used.
Answer: 04:01:54
TLDR
– Memory Forensics challenge that only needs volatility3 to be solved.
