Hellooo, you all probably heard about memory forensics but what is it actually?
Memory forensics (sometimes referred to as memory analysis) refers to the analysis of volatile data in a computer’s memory dump. Information security professionals conduct memory forensics to investigate and identify attacks or malicious behaviors that do not leave easily detectable tracks on hard drive data.
But then what’s volatile data? To keep it simple volatile data is the data stored temporarily on memory while the computer is running. So when the computer shuts off, so does the volatile data.
What data we can get from volatile data? A lot actually, browsing history, chat messages, and clipboard contents.
So specialist uses a software that captures the current state of memory as a snapshot, and that’s what we used to the analysis
Today I’ll be showing some basic memory analysis from MemLabs
Analysis
My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Note: This challenge is composed of 3 flags.
- Okay so first off download, the labs from MemLabs, today we’ll be doing the first lab which is
Beginner's luck - On unzipping the file we get a file
MemoryDump_Lab1.rawand don’t be surprised on the file size, memory dumps are quite large.
Hashes
- md5sum b9fec1a443907d870cb32b048bda9380
Volatility
- So what do we do with it? A couple of things we can do actually. My favourite tool for memory analysis is Volatility
Volatility is an open-source memory forensics framework for incident response and malware analysis
- If you’re REMnux it should have been preinstalled, so let’s get started, I always use a cheat sheet because I for the love of god cannot remember the syntax. I’ll be using volatility2
- So first let’s try to get some info on the image
remnux@remnux:~/mal$ vol.py -f MemoryDump_Lab1.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/remnux/mal/MemoryDump_Lab1.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800028100a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002811d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-12-11 14:38:00 UTC+0000
Image local date and time : 2019-12-11 20:08:00 +0530So we see some suggested profile, suggesting it might be these Windows version. We can also see the image data and image local date. Okay let’s use Win7SP1x64 for now.
Process lists
- We can also check out the processes on the image.
remnux@remnux:~/mal$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8000ca0040 System 4 0 80 570 ------ 0 2019-12-11 13:41:25 UTC+0000
0xfffffa800148f040 smss.exe 248 4 3 37 ------ 0 2019-12-11 13:41:25 UTC+0000
0xfffffa800154f740 csrss.exe 320 312 9 457 0 0 2019-12-11 13:41:32 UTC+0000
0xfffffa8000ca81e0 csrss.exe 368 360 7 199 1 0 2019-12-11 13:41:33 UTC+0000
0xfffffa8001c45060 psxss.exe 376 248 18 786 0 0 2019-12-11 13:41:33 UTC+0000
0xfffffa8001c5f060 winlogon.exe 416 360 4 118 1 0 2019-12-11 13:41:34 UTC+0000
0xfffffa8001c5f630 wininit.exe 424 312 3 75 0 0 2019-12-11 13:41:34 UTC+0000
0xfffffa8001c98530 services.exe 484 424 13 219 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001ca0580 lsass.exe 492 424 9 764 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001ca4b30 lsm.exe 500 424 11 185 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001cf4b30 svchost.exe 588 484 11 358 0 0 2019-12-11 13:41:39 UTC+0000
0xfffffa8001d327c0 VBoxService.ex 652 484 13 137 0 0 2019-12-11 13:41:40 UTC+0000
0xfffffa8001d49b30 svchost.exe 720 484 8 279 0 0 2019-12-11 13:41:41 UTC+0000
0xfffffa8001d8c420 svchost.exe 816 484 23 569 0 0 2019-12-11 13:41:42 UTC+0000
0xfffffa8001da5b30 svchost.exe 852 484 28 542 0 0 2019-12-11 13:41:43 UTC+0000
0xfffffa8001da96c0 svchost.exe 876 484 32 941 0 0 2019-12-11 13:41:43 UTC+0000
0xfffffa8001e1bb30 svchost.exe 472 484 19 476 0 0 2019-12-11 13:41:47 UTC+0000
0xfffffa8001e50b30 svchost.exe 1044 484 14 366 0 0 2019-12-11 13:41:48 UTC+0000
0xfffffa8001eba230 spoolsv.exe 1208 484 13 282 0 0 2019-12-11 13:41:51 UTC+0000
0xfffffa8001eda060 svchost.exe 1248 484 19 313 0 0 2019-12-11 13:41:52 UTC+0000
0xfffffa8001f58890 svchost.exe 1372 484 22 295 0 0 2019-12-11 13:41:54 UTC+0000
0xfffffa8001f91b30 TCPSVCS.EXE 1416 484 4 97 0 0 2019-12-11 13:41:55 UTC+0000
0xfffffa8000d3c400 sppsvc.exe 1508 484 4 141 0 0 2019-12-11 14:16:06 UTC+0000
0xfffffa8001c38580 svchost.exe 948 484 13 322 0 0 2019-12-11 14:16:07 UTC+0000
0xfffffa8002170630 wmpnetwk.exe 1856 484 16 451 0 0 2019-12-11 14:16:08 UTC+0000
0xfffffa8001d376f0 SearchIndexer. 480 484 14 701 0 0 2019-12-11 14:16:09 UTC+0000
0xfffffa8001eb47f0 taskhost.exe 296 484 8 151 1 0 2019-12-11 14:32:24 UTC+0000
0xfffffa8001dfa910 dwm.exe 1988 852 5 72 1 0 2019-12-11 14:32:25 UTC+0000
0xfffffa8002046960 explorer.exe 604 2016 33 927 1 0 2019-12-11 14:32:25 UTC+0000
0xfffffa80021c75d0 VBoxTray.exe 1844 604 11 140 1 0 2019-12-11 14:32:35 UTC+0000
0xfffffa80021da060 audiodg.exe 2064 816 6 131 0 0 2019-12-11 14:32:37 UTC+0000
0xfffffa80022199e0 svchost.exe 2368 484 9 365 0 0 2019-12-11 14:32:51 UTC+0000
0xfffffa8002222780 cmd.exe 1984 604 1 21 1 0 2019-12-11 14:34:54 UTC+0000
0xfffffa8002227140 conhost.exe 2692 368 2 50 1 0 2019-12-11 14:34:54 UTC+0000
0xfffffa80022bab30 mspaint.exe 2424 604 6 128 1 0 2019-12-11 14:35:14 UTC+0000
0xfffffa8000eac770 svchost.exe 2660 484 6 100 0 0 2019-12-11 14:35:14 UTC+0000
0xfffffa8001e68060 csrss.exe 2760 2680 7 172 2 0 2019-12-11 14:37:05 UTC+0000
0xfffffa8000ecbb30 winlogon.exe 2808 2680 4 119 2 0 2019-12-11 14:37:05 UTC+0000
0xfffffa8000f3aab0 taskhost.exe 2908 484 9 158 2 0 2019-12-11 14:37:13 UTC+0000
0xfffffa8000f4db30 dwm.exe 3004 852 5 72 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000f4c670 explorer.exe 2504 3000 34 825 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000f9a4e0 VBoxTray.exe 2304 2504 14 144 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000fff630 SearchProtocol 2524 480 7 226 2 0 2019-12-11 14:37:21 UTC+0000
0xfffffa8000ecea60 SearchFilterHo 1720 480 5 90 0 0 2019-12-11 14:37:21 UTC+0000
0xfffffa8001010b30 WinRAR.exe 1512 2504 6 207 2 0 2019-12-11 14:37:23 UTC+0000
0xfffffa8001020b30 SearchProtocol 2868 480 8 279 0 0 2019-12-11 14:37:23 UTC+0000
0xfffffa8001048060 DumpIt.exe 796 604 2 45 1 1 2019-12-11 14:37:54 UTC+0000 y- Okay from the case details, it said they saw something black pop up with something being executed which leads me to think it was
Command Promptand they were also painting at that time so probablyPaint? - Let’s look at the process list.
We found our paint process.
0xfffffa80022bab30 mspaint.exe 2424 604 6 128 1 0 2019-12-11 14:35:14 UTC+0000And also the Command Prompt
0xfffffa8002222780 cmd.exe 1984 604 1 21 1 0 2019-12-11 14:34:54 UTC+0000 - So based on the time stamp, the command prompt process was started first before the paint.
- I’ll let you all take a look at those process by yourself
Command line
Now let’s check out the command line.
remnux@remnux:~/mal$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 cmdline
Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Alissa Simpson\Documents\Important.rar"Okay so we found an important file, nice. So how do we extract it.
File Scan and dumping
- Okay so we can use filescan to dump all files in the image but that will take long so let’s grep for
.rar
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
0x000000003eb5c820 2 0 R--rwd \Device\HarddiskVolume2\Users\SmartNet\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
0x000000003eba3600 17 1 RW-rw- \Device\HarddiskVolume2\Users\SmartNet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
0x000000003ebe7ea0 1 0 R--rwd \Device\HarddiskVolume2\Users\SmartNet\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
0x000000003ebea990 1 0 R--rwd \Device\HarddiskVolume2\Users\SmartNet\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
0x000000003ebf22b0 2 1 R--rwd \Device\HarddiskVolume2\Users\SmartNet\AppData\Roaming\Microsoft\Windows\Libraries
0x000000003ebf3070 2 1 R--rwd \Device\HarddiskVolume2\Users\SmartNet\AppData\Roaming\Microsoft\Windows\Libraries
0x000000003ec1a620 16 0 RW-rw- \Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
0x000000003ec237c0 17 1 RW-rw- \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
0x000000003ed1f9b0 2 0 R--r-d \Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing\UpdateLibrary
0x000000003ed4d990 2 0 R--rw- \Device\HarddiskVolume2\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml
0x000000003eddb070 2 0 R--rwd \Device\HarddiskVolume2\Users\Public\Libraries\desktop.ini
0x000000003f685b30 2 0 R--rwd \Device\HarddiskVolume2\Users\SmartNet\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
0x000000003f6864e0 2 0 R--rwd \Device\HarddiskVolume2\Users\Public\Libraries\RecordedTV.library-ms
0x000000003f686f20 2 0 R--rwd \Device\HarddiskVolume2\Users\SmartNet\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
0x000000003f688070 3 1 R--rwd \Device\HarddiskVolume2\Users\SmartNet\AppData\Roaming\Microsoft\Windows\Libraries
0x000000003f688ba0 3 1 R--rwd \Device\HarddiskVolume2\Users\Public\Libraries
0x000000003fa2b8e0 17 1 RW-rw- \Device\HarddiskVolume2\Users\Alissa Simpson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
0x000000003fa3ebc0 1 0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar
0x000000003fab08e0 17 1 RW-rw- \Device\HarddiskVolume2\Users\Alissa Simpson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
0x000000003fac3bc0 1 0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar
0x000000003fb358e0 17 1 RW-rw- \Device\HarddiskVolume2\Users\Alissa Simpson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
0x000000003fb48bc0 1 0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar- And let’s grab the offset for the rar file.0x000000003fa3ebc0
remnux@remnux:~/mal$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 dumpfiles --dump-dir . -Q 0x000000003fa3ebc0
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
DataSectionObject 0x3fa3ebc0 None \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar- Okay now we have the file.
remnux@remnux:~/mal$ file file.None.0xfffffa8001034450.dat
file.None.0xfffffa8001034450.dat: RAR archive data, v5Rename it to Important.rar and let’s unzip it.
Okay but we need the hash for this flag, unlucky.
Dumping hashes
- Fret not we can also dump hashes, but we need 2 things from the hive which is SYSTEM and SAM.
remnux@remnux:~/mal$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
Virtual Physical Name
------------------ ------------------ ----
0xfffff8a00000d010 0x000000002783f010 [no name]
0xfffff8a000024010 0x00000000276a4010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a00004e010 0x00000000276ce010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a0000b9010 0x0000000037113010 \??\C:\Users\SmartNet\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a0000c1010 0x0000000036d9b010 \??\C:\Users\SmartNet\ntuser.dat
0xfffff8a000264010 0x0000000025d61010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a001032010 0x00000000252b4010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a0012ff300 0x000000002199c300 \SystemRoot\System32\Config\DEFAULT
0xfffff8a001491010 0x000000001df34010 \SystemRoot\System32\Config\SECURITY
0xfffff8a0014e9010 0x000000001d7ed010 \SystemRoot\System32\Config\SAM
0xfffff8a0015ab410 0x000000001cd57410 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a001626010 0x000000001c9a4010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a00227a010 0x00000000123d0010 \??\C:\Users\Alissa Simpson\ntuser.dat
0xfffff8a0022dc010 0x000000000b296010 \??\C:\Users\Alissa Simpson\AppData\Local\Microsoft\Windows\UsrClass.dat- Okay so what we want from here is the offset of SYSTEM AND SAM which is 0xfffff8a000024010 and 0xfffff8a0014e9010
- And voila
remnux@remnux:~/mal$ cat hashes.txt
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SmartNet:1001:aad3b435b51404eeaad3b435b51404ee:4943abb39473a6f32c11301f4987e7e0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f0fc3d257814e08fea06e63c5762ebd5:::
Alissa Simpson:1003:aad3b435b51404eeaad3b435b51404ee:f4ff64c8baac57d22f22edc681055ba6:::- NTLM hash is F4FF64C8BAAC57D22F22EDC681055BA6
- And go grab that flag!
Final words
- As for the first 2 flags, I’ll not spoil it please do try to get it.
- Memory analysis is fun when you know what you’re looking for
Good luck and godspeed o7
