TryHackMe: Memory Forensics
In my previous story, we got our hands over the famous memory forensics framework called as “Volatility”. Today, we would be solving great room from TryHackMe called Memory Forensics. This room takes us over how we can actually perform memory forensics of a captured memory dump and try to get as much information as possible which may help us in the further investigation.
[Task1]: Introduction
This task involves nothing but suggests just us learn the basics of Volatility & memory forensics before we move forward into this room. However, we have already completed that room in my previous story.
[Task2]: Dumping & Cracking Hashes
The first and the foremost step when analyzing a memory dump using Volatility is to know what profile we would be using. In order to analyze a memory dump, we need to know the Operating System, Service Pack number, Build number of the system whose memory is been captured. This is because Volatility treats the memory dump of each profile differently. Also, guessing the correct profile is necessary to get an accurate output.
But when performing forensics of a memory dump, it is hard to determine the exact system information. Hence, to circumvent this Volatility contains a inbuilt module/plugin called “KDBGScan” which has the ability to predict what would have been the system version of the memory dump.
Let's check out what all profiles does Volatility suggests to us, using the imageinfo plugin.
volatility -f Snapshot6.vmem imageinfo
We would be moving ahead using the Win7SP1x64 profile.
(#1) What is John’s password?
Memory dumps can contain password hashes on a system. These are not the actual clear-text password, but one can give it try to crack the hashes using dictionary-based attacks. Volatility has a plugin called hashdump which can fetch out hashes from the memory dump.
volatility -f Snapshot6.vmem --profile=Win7SP1x64 hashdump
This gives us the hash of User “John”. Now, lets try to crack it using the “John the Ripper”. We would be using the rockyou.txt wordlist for this.
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT hash.txt
And with in a matter of a few seconds, we successfully cracked the hash of user John and got the password.
[Task3]: Analysis
(#1) When was the machine last shutdown?
Now that they have given us a new memory dump, using the imageinfo plugin again we need to select the required profile.
volatility -f Snapshot19.vmem imageinfo
Again we would be moving forward with the WinSP1x64 profile.
Volatility has a plugin called shutdowntime with the help of which can know when was system last shutdown.
volatility -f Snapshot19.vmem --profile=Win7SP1x64 shutdowntime
(#2) What did John write?
This question states, that what was the last command written by John on the command line or console. For this we can use the console plugin which can display the commands that were executed using the command line.
volatility -f Snapshot19.vmem --profile=Win7SP1x64 console
And we found out the flag.
[Task4]: Truecrypt
(#1) What is the TrueCrypt password?
Truecrypt is an open-source tool which used to encrypt & hide partitions or files. The question itself points that the forensics investigator found the indication of Truecrypt on the suspect's memory dump. So, in order to decrypt the files or view the hidden partitions, we need to somehow obtain the Trycrypts password. For this Volatility has an inbuilt plugin called truecryptpassphrase using which can obtain the passphrase if it is in the memory. Moving forward and executing the command we get the required passphrase. In real-world scenarios, this could be a turning point in the investigation, as now the forensics expert has a larger information surface to search leads for. Also usually encrypted things are ought to contain things important from the investigation point of view.
volatility -f Snapshot14.vmem --profile=Win7SP1x64 truecryptpassphrase
With this we complete another great Memory Forensics roo by TryHackMe :)
