Memory Forensics-TryHackMe

Memory Forensics — TryHackMe

This is a quick write-up for TryHackMe room named Memory Forensics. You can find this room here:- https://tryhackme.com/room/memoryforensics

Get Volatility from here: https://github.com/volatilityfoundation/volatility/

[Task 2] Login

What is John’s password?

Download the memory dump for this task and first of all get the “ImageInfo”:

$ python /opt/tools/volatility/vol.py -f Snapshot6.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/tmp/Snapshot6.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c4a0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c4bd00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 06:20:05 UTC+0000
Image local date and time : 2020-12-26 22:20:05 -0800

Now lets dump the hashed for “Win7SP1x64” using the module “hashdump”

$ python /opt/tools/volatility/vol.py -f Snapshot6.vmem --profile=Win7SP1x64 hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John:1001:aad3b435b51404eeaad3b435b51404ee:47fbd6536d7868c873d5ea455f2fc0c9:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:91c34c06b7988e216c3bfeb9530cabfb:::

Crack this hask using john the ripper:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=nt hash.txt

[Task 3] Analysis

First get the “imageinfo” for this dump just to check the if it the same:

$ python /opt/tools/volatility/vol.py -f Snapshot19.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/tmp/Snapshot19.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002bfd0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002bfed00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 23:06:01 UTC+0000
Image local date and time : 2020-12-28 00:06:01 +0100

When was the machine last shutdown?

Use module “shutdowntime” to Print ShutdownTime of machine from registry

$ python /opt/tools/volatility/vol.py -f Snapshot19.vmem --profile=Win7SP1x64 shutdowntime
Volatility Foundation Volatility Framework 2.6.1
Registry: SYSTEM
Key Path: ControlSet001\Control\Windows
Key Last updated: 2020-12-27 [REDACTED] UTC+0000
Value Name: ShutdownTime
Value: 2020-12-27 [REDACTED] UTC+0000

What did John write?

Use module “consoles” to Extract command history by scanning for _CONSOLE_INFORMATION.

$ python /opt/tools/volatility/vol.py -f Snapshot19.vmem --profile=Win7SP1x64 consoles
Volatility Foundation Volatility Framework 2.6.1
**************************************************
ConsoleProcess: conhost.exe Pid: 2488
Console: 0xffa66200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\System32\cmd.exe
Title: Administrator: C:\Windows\System32\cmd.exe
AttachedProcess: cmd.exe Pid: 1920 Handle: 0x60
----
CommandHistory: 0x21e9c0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 7 LastAdded: 6 LastDisplayed: 6
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x1fe3a0: cd /
Cmd #1 at 0x1f78b0: echo THM{REDACTED} > test.txt
Cmd #2 at 0x21dcf0: cls
Cmd #3 at 0x1fe3c0: cd /Users
Cmd #4 at 0x1fe3e0: cd /John
Cmd #5 at 0x21db30: dir
Cmd #6 at 0x1fe400: cd John
----
Screen 0x200f70 X:80 Y:300
Dump:

C:\>cd /Users

C:\Users>cd /John
The system cannot find the path specified.

C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 1602-421F

Directory of C:\Users

12/27/2020 02:20 AM <DIR> .
12/27/2020 02:20 AM <DIR> ..
12/27/2020 02:21 AM <DIR> John
04/12/2011 08:45 AM <DIR> Public
0 File(s) 0 bytes
4 Dir(s) 54,565,433,344 bytes free

C:\Users>cd John

C:\Users\John>

[Task 4] TrueCrypt

First get the “imageinfo” for this dump just to check the if it the same:

$ python /opt/tools/volatility/vol.py -f Snapshot14.vmem imageinfo                              
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/tmp/Snapshot14.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c4d0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c4ed00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 13:41:31 UTC+0000
Image local date and time : 2020-12-27 05:41:31 -0800

What is the TrueCrypt passphrase?

Use module “truecryptpassphrase” to find TrueCrypt Cached Passphrase

┌──(kali㉿kali)-[/tmp]
└─$ python /opt/tools/volatility/vol.py -f Snapshot14.vmem --profile=Win7SP1x64 truecryptpassphrase
Volatility Foundation Volatility Framework 2.6.1
Found at 0xfffff8800512bee4 length 11: [REDACTED]

That’s all for today. Thanks for reading.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Utilization of OWASP Tools to protect against XSS vulnerabilities

XT.COM Will List ETHDOX(ETHDOX) and Open Its Trading

Deploying bulletproof PAM with Gravitational Teleport…

Symfonos Walkthrough (Vulnhub)

Crying wolf over QR codes? Coinbase’s Super Bowl ad sparks infosec debate

{UPDATE} Hockey Fight Lite Hack Free Resources Generator

Cyber Security Can Learn From Physical Security

Threat Hunting — A proactive Method to Identify Hidden Threat

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

TryHackMe-Mobile Malware Analysis | By Subhadip Nag(Mrl0s3r)

Learning Volatility: TryHackMe

CyberSoc | Cyber Detective CTF Write Up — Evidence Investigation

Reverse Engineering with GHIDRA.