Memory Forensics with Volatility

Description

This capture the flag is called “Forensics” and can be found on . During this room you have to analyze a memory dump of a compromised host.

Volatility Forensics

Task 1

After downloading the memory dump we can start with our analysis. To get informations about the running OS we can use the imageinfo plugin:

volatility -f victim.raw imageinfo
Output of the imageinfo plugin

The operating system of the victim is “Windows”.

To find PIDs we can use the pslist plugin:

vol.py -f victim.raw --profile=Win7SP1x64 pslist

Searchindexer is a Microsoft Windows executable. This service provides content indexing, property caching, and search results for files, e-mails, and other contents (https://www.file.net/process/searchindexer.exe.html).

Shellbags contain configurations and preferences of the user’s Windows Explorer. Shellbags can also be used to determine which directory was last accessed by the user. Volatility has a plugin for this purpose:

vol.py -f victim.raw --profile=Win7SP1x64 shellbags

Through analysis of the registry keys, we can determine that directory Z:\logs\deleted_files has been last accessed:

Output of the shellbags plugin

Task 2

Next we will analyze the network connections. To find open connections we can use the netscan plugin:

vol.py -f victim.raw --profile=Win7SP1x64 netscan
Output of the netscan plugin

We could find a suspicicious process: wmpnetwk.exe with PID 2464.

To find executeables with VADS protection set to READ WRITE, we can use the malfind plugin:

vol.py -f victim.raw --profile=Win7SP1x64 malfind
Output of the malfind plugin

This will give us the following PIDs: 1860, 1820, 2464.

IOC SAGA

Next we will dump the suspicious executables’ memory for further analysis:

vol.py -f victim.raw --profile=Win7SP1x64 memdump -p 1820 --dump-dir=./
Dumped files

The next questions can be answered with strings and grep by grepping for the URLs and IPs by utilizing regular expressions:

Grepping for the URLs
Grepping for the IP

To get the environment variables of a process you can use the envars plugin:

vol.py -f victim.raw --profile=Win7SP1x64 envars -p 2464
Output of the envars plugin

Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!