TRYHACKME
Advent of Cyber 2022 [Day 11]-Memory Forensics Not all gifts are nice
Scenario: One of the workshop employees, knocks on the door. The elf says, “I’ve just clicked on something and now my workstation is behaving in all kinds of weird ways. Can you take a look?”.
Elf McSkidy tasks you, Elf McBlue, to investigate the workstation. Running down to the workshop floor, you see a command prompt running some code. Uh oh! This is not good. You immediately create a memory dump of the workstation and place this dump onto your employee-issued USB stick.
You plug the USB into your workstation and begin your investigation.
Day 11 Learning Objectives: Memory Forensics.
What is Memory Forensics?
Memory forensics is the analysis of the volatile memory that is in use when a computer is powered on.
Why is Memory Forensics Useful?
Memory forensics is an extremely important element when investigating a computer that comes within the scope of a cyberattack.
An Introduction to Processes
A process is a running program. For example, a process is created when running an instance of notepad. You can have multiple processes for an application (for example, running three instances of notepad will create three processes).
Introducing Volatility
Volatility is an open-source memory forensics toolkit written in Python. Volatility allows us to analyze memory dumps taken from Windows, Linux, and Mac OS devices and is an extremely popular tool in memory forensics.
Answer of Questions
What is the Windows version number that the memory image captured?
10
What is the name of the binary/gift that secret Santa left?
mysterygift.exe
What is the Process ID (PID) of this binary?
2040
Dump the contents of this binary. How many files are dumped?
16
use the plugin “windows.dumpfiles” with the suspicious binary PID to dump all the data “pid 2040”.