TryHackMe: Memory Forensics

[Task1]: Introduction

This task involves nothing but suggests just us learn the basics of Volatility & memory forensics before we move forward into this room. However, we have already completed that room in my previous story.

[Task2]: Dumping & Cracking Hashes

The first and the foremost step when analyzing a memory dump using Volatility is to know what profile we would be using. In order to analyze a memory dump, we need to know the Operating System, Service Pack number, Build number of the system whose memory is been captured. This is because Volatility treats the memory dump of each profile differently. Also, guessing the correct profile is necessary to get an accurate output.

volatility -f Snapshot6.vmem imageinfo

(#1) What is John’s password?

Memory dumps can contain password hashes on a system. These are not the actual clear-text password, but one can give it try to crack the hashes using dictionary-based attacks. Volatility has a plugin called hashdump which can fetch out hashes from the memory dump.

volatility -f Snapshot6.vmem --profile=Win7SP1x64 hashdump
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT hash.txt

[Task3]: Analysis

(#1) When was the machine last shutdown?

Now that they have given us a new memory dump, using the imageinfo plugin again we need to select the required profile.

volatility -f Snapshot19.vmem imageinfo
volatility -f Snapshot19.vmem --profile=Win7SP1x64 shutdowntime

(#2) What did John write?

This question states, that what was the last command written by John on the command line or console. For this we can use the console plugin which can display the commands that were executed using the command line.

volatility -f Snapshot19.vmem --profile=Win7SP1x64 console

[Task4]: Truecrypt

(#1) What is the TrueCrypt password?

Truecrypt is an open-source tool which used to encrypt & hide partitions or files. The question itself points that the forensics investigator found the indication of Truecrypt on the suspect's memory dump. So, in order to decrypt the files or view the hidden partitions, we need to somehow obtain the Trycrypts password. For this Volatility has an inbuilt plugin called truecryptpassphrase using which can obtain the passphrase if it is in the memory. Moving forward and executing the command we get the required passphrase. In real-world scenarios, this could be a turning point in the investigation, as now the forensics expert has a larger information surface to search leads for. Also usually encrypted things are ought to contain things important from the investigation point of view.

volatility -f Snapshot14.vmem --profile=Win7SP1x64 truecryptpassphrase

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store