Home Walkthrough - Memory Forensics
Post
Cancel

Walkthrough - Memory Forensics

Posted Aug 29, 2022 Updated Jan 10, 2023
By 0xskar
2 min read

Tags: Forensics, Memory, Volatility, Security. Description: Perform memory forensics to find the flags. Difficulty: Easy URL: https://tryhackme.com/room/memoryforensics

Login

The forensic investigator on-site has performed the initial forensic analysis of John’s computer and handed you the memory dump he generated on the computer. As the secondary forensic investigator, it is up to you to find all the required information in the memory dump.

  • python2.7 ~/scripts/volatility-master/vol.py -f Snapshot6.vmem imageinfo
1
2
3
4
5
6
7
8
9
10
11
12
13

INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/oskar/Documents/TryHackMe/MemoryForensics/Snapshot6.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002c4a0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002c4bd00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-12-27 06:20:05 UTC+0000
     Image local date and time : 2020-12-26 22:20:05 -0800
  • Dump the hashes with hivelist python2.7 ~/scripts/volatility-master/vol.py -f Snapshot6.vmem --profile Win7SP1x64 hivelist
1
2
3
4
5
6
7
8
9
10
11
12
13
14

irtual            Physical           Name
------------------ ------------------ ----
0xfffff8a001453010 0x000000003b039010 \??\C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a00000f010 0x0000000027324010 [no name]
0xfffff8a000024010 0x00000000271af010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000061010 0x00000000272ee010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000790010 0x00000000211b5010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a0007f1010 0x0000000021368010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000a8e010 0x000000001b1e8010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a000cce010 0x00000000172b1010 \SystemRoot\System32\Config\SECURITY
0xfffff8a000cf8010 0x0000000016ce6010 \SystemRoot\System32\Config\SAM
0xfffff8a000d81010 0x00000000162d5010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a000e0e010 0x0000000016073010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a0013ee010 0x000000003bc0d010 \??\C:\Users\John\ntuser.dat
  • With the virtual offset of SYSTEM and SAM we can extract the hashes I couldnt get this to work with volatility 2.7 so using volatility 3 for this
  • sudo vol -f Snapshot6.vmem hashdump
1
2
3
4
5
6

User    rid     lmhash  nthash

Administrator   500     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
Guest   501     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
John    1001    aad3b435b51404eeaad3b435b51404ee        47fbd6536d7868c873d5ea455f2fc0c9
HomeGroupUser$  1002    aad3b435b51404eeaad3b435b51404ee        91c34c06b7988e216c3bfeb9530cabfb
  • hashcat -m 1000 john.hash /usr/share/seclists/Passwords/rockyou.txt

Analysis

On arrival a picture was taken of the suspect’s machine, on it, you could see that John had a command prompt window open. The picture wasn’t very clear, sadly, and you could not see what John was doing in the command prompt window.

To complete your forensic timeline, you should also have a look at what other information you can find, when was the last time John turned off his computer?

Answer the questions below

When was the machine last shutdown?

  • sudo python2.7 ~/scripts/volatility-master/vol.py -f Snapshot19.vmem imageinfo
  • volatility doesnt work
  • 2020-12-27 22:50:12

What did John write?

  • forgetmenot
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents