This capture the flag is called “Forensics” and can be found on TryHackMe. During this room you have to analyze a memory dump of a compromised host.
After downloading the memory dump we can start with our analysis. To get informations about the running OS we can use the
volatility -f victim.raw imageinfo
The operating system of the victim is “Windows”.
To find PIDs we can use the
vol.py -f victim.raw --profile=Win7SP1x64 pslist
Searchindexer is a Microsoft Windows executable. This service provides content indexing, property caching, and search results for files, e-mails, and other contents (https://www.file.net/process/searchindexer.exe.html).
Shellbags contain configurations and preferences of the user’s Windows Explorer. Shellbags can also be used to determine which directory was last accessed by the user. Volatility has a plugin for this purpose:
vol.py -f victim.raw --profile=Win7SP1x64 shellbags
Through analysis of the registry keys, we can determine that directory
Z:\logs\deleted_files has been last accessed:
Next we will analyze the network connections. To find open connections we can use the
vol.py -f victim.raw --profile=Win7SP1x64 netscan
We could find a suspicicious process: wmpnetwk.exe with PID 2464.
To find executeables with VADS protection set to READ WRITE, we can use the
vol.py -f victim.raw --profile=Win7SP1x64 malfind
This will give us the following PIDs: 1860, 1820, 2464.
Next we will dump the suspicious executables’ memory for further analysis:
vol.py -f victim.raw --profile=Win7SP1x64 memdump -p 1820 --dump-dir=./
The next questions can be answered with
grep by grepping for the URLs and IPs by utilizing regular expressions:
To get the environment variables of a process you can use the
vol.py -f victim.raw --profile=Win7SP1x64 envars -p 2464