My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/TryHackMe/Forensics && cd Documents/TryHackMe/Forensics
Download it from the room, and then verify the file hash:
md5sum victim.raw
MD5 hash: ba44c4b977d28132faeb5fb8b06debce
Volatility for Python2 and Python3 is all you need to solve this category:
vol.py -h vol3 -h
If this doesn’t work, then install it following these instructions.
For Volatility2 you need to specify a profile. You can find it by doing:
vol.py -fSnapshot6.vmem imageinfo
Walkthrough
Task 1: Volatility forensics
1. What is the Operating System of this Dump file? (OS name)
Using imageinfo plugin:
vol.py -f victim.raw imageinfo
All the returned profiles point to a machine running Windows.
Answer: Windows
2. What is the PID of SearchIndexer?
Using the pslist plugin:
vol.py -f victim.raw --profile=Win7SP1x64 pslist
The PID of SearchIndexer.exe is 2180.
Answer: 2180
3. What is the last directory accessed by the user?
The registry stores important information in regards to the file access history. We can dump the UsrClass.dat hive and then analyze it with RegRipper. First, we need to find the Virtual Offset of the hive:
vol.py -f victim.raw --profile=Win7SP1x64 hivelist
Next, we need to dump the hive, and use regripper with the shellbags_tln plugin. Note that the plugin doesn’t print the timestamps in chronological order, so we need to pipe the output to sort to get the values chronologically:
vol.py -f victim.raw --profile=Win7SP1x64 dumpregistry -o 0xfffff8a00104e010 --dump-dir=.
rip.pl -p shellbags_tln -r registry.0xfffff8a00104e010.UsrClassdat.reg | sort -k1 -n -t,
The Last folder opened by the user is ‘deleted_files‘.
Answer: deleted_files
Task 2: Task2
1. There are many suspicious open ports; which one is it?
Since the System is infected, we can first check the processes returned by malfind:
vol.py -f victim.raw --profile=Win7SP1x64 malfind | grep Process
Now, we can use the netscan plugin and grep for the PIDs. Only PID 2464 (wmpnetwk.exe) is returned:
Answer: udp:5005
2. Vads tag and execute protection are strong indicators of malicious processes; can you find which they are?
The Answer is the the pids returned from malfind:
Answer: 1860;1820;2464
Task 3: IOC SAGA
In the previous task, you identified malicious processes, so let’s dig into them and find some Indicator of Compromise (IOC). You just need to find them and fill in the blanks (You may search for them on VirusTotal to discover more details)
We can dump the VADs of the infected PIDs into a new directory, and the use strings to find the correct urls:
vol.py -f victim.raw --profile=Win7SP1x64 vaddump -p 1860,1820,2465 -D malware/
strings malware/* | grep [regex]
The Answers are:
– http://www.goporn.ru
– http://www.ikaka.com
– http://www.icsalabs.com
– 202.107.233.211
– 209.200.12.164
– 209.190.122.186
For the last question, we can check the environment variables of pid 2646:
vol.py -f victim.raw --profile=Win7SP1x64 envars -p 2464
The only variable that isn’t in any other PID is OANOCACHE.
Answer: OANOCACHE
TLDR
– This challenge is another great introduction to Memory Forensics.
– It’s relatively easy, and doesn’t require any more tools than volatility2.
