TryHackMe: Memory Forensics
Task 1: Introduction
This challenge involves performing memory forensics to extract valuable artifacts and uncover hidden data from a provided memory dump. If you’re new to memory forensics, it’s recommended to explore the Volatility room first to familiarize yourself with the tool.
Note*: The attached memory dump file for each task is approximately 1.07 GB in size.*
Task 2: Login
As a forensic investigator, you’ve been provided with a memory dump from the suspect’s computer. Your task is to find John’s password by analyzing the dump.
What is John’s password?
Steps:
- Identify the profile of the memory dump:
In this step, we use the imageinfo command to determine the correct OS profile, which is crucial for ensuring accurate Volatility analysis.
volatility -f Snapshot6_1609157562389.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/memory-dumps/Snapshot6_1609157562389.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c4a0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c4bd00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 06:20:05 UTC+0000
Image local date and time : 2020-12-26 22:20:05 -0800
The output suggests possible profiles for the memory image. From the above I choose Win7SP1x64 and start our investigation.
2. Extract password hashes:
Here, we extract password hashes from the memory dump and save it to txt file for further password cracking.
volatility -f Snapshot6_1609157562389.vmem --profile=Win7SP1x64 hashdump > hashes.txt
cat hashes.txt
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John:1001:aad3b435b51404eeaad3b435b51404ee:47fbd6536d7868c873d5ea455f2fc0c9:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:91c34c06b7988e216c3bfeb9530cabfb::
3. Crack the password using a wordlist:
Using tools like John the Ripper, the extracted hashes are cracked to reveal plaintext passwords. The success of this process heavily relies on the selection of an effective wordlist, such as rockyou.txt.
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (NT [MD4 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
[REDACTED] (John)
2g 0:00:00:01 DONE (2024-12-24 11:56) 1.212g/s 8693Kp/s 8693Kc/s 14260KC/s markinho..*7¡Vamos!
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
Output: [Redacted]
Task 3: Analysis
Analyze the second memory dump to determine key activities on the machine, including the last shutdown time and commands executed by the user.
When was the machine last shutdown?
Steps:
- Identify the profile:
volatility.py -f Snapshot19_1609159453792.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/memory-dumps/Snapshot19_1609159453792.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002bfd0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002bfed00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 23:06:01 UTC+0000
Image local date and time : 2020-12-28 00:06:01 +0100
2. Find the last shutdown time:
The shutdowntime plugin reads the SYSTEM registry hive to locate the ShutdownTime value under ControlSet001\Control\Windows. This timestamp is an essential forensic artifact that reveals the last recorded system shutdown.
volatility -f Snapshot19_1609159453792.vmem --profile=Win7SP1x64 shutdowntime
Volatility Foundation Volatility Framework 2.6.1
Registry: SYSTEM
Key Path: ControlSet001\Control\Windows
Key Last updated: 2020-12-27 22:50:12 UTC+0000
Value Name: ShutdownTime
Value: [REDACTED] UTC+0000
Output: [Redacted]
What did John write?
Steps:
- Extracting console commands executed by John:
The consoles plugin examines the command history stored in memory, revealing all commands executed in the terminal by the specified user or process. This provides a direct view of user activity, highlighting potentially suspicious behavior.
volatility -f /path/to/Snapshot19_1609159453792.vmem --profile=Win7SP1x64 consoles
Volatility Foundation Volatility Framework 2.6.1
**************************************************
ConsoleProcess: conhost.exe Pid: 2488
Console: 0xffa66200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\System32\cmd.exe
Title: Administrator: C:\Windows\System32\cmd.exe
AttachedProcess: cmd.exe Pid: 1920 Handle: 0x60
----
CommandHistory: 0x21e9c0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 7 LastAdded: 6 LastDisplayed: 6
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x1fe3a0: cd /
Cmd #1 at 0x1f78b0: echo THM{[REDACTED]} > test.txt
Cmd #2 at 0x21dcf0: cls
Cmd #3 at 0x1fe3c0: cd /Users
Cmd #4 at 0x1fe3e0: cd /John
Cmd #5 at 0x21db30: dir
Cmd #6 at 0x1fe400: cd John
----
Screen 0x200f70 X:80 Y:300
Dump:
C:\>cd /Users
C:\Users>cd /John
The system cannot find the path specified.
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 1602-421F
Directory of C:\Users
12/27/2020 02:20 AM .
12/27/2020 02:20 AM ..
12/27/2020 02:21 AM John
04/12/2011 08:45 AM Public
0 File(s) 0 bytes
4 Dir(s) 54,565,433,344 bytes free
C:\Users>cd John
C:\Users\John>
Output: [REDACTED]
Task 4: TrueCrypt
A common task of forensic investigators is looking for hidden partitions and encrypted files, as suspicion arose when TrueCrypt was found on the suspect’s machine and an encrypted partition was found. The interrogation did not yield any success in getting the passphrase from the suspect, however, it may be present in the memory dump obtained from the suspect’s computer.
What is the TrueCrypt passphrase?
Steps:
- Identify the profile:
volatility.py -f /memory-dumps/Snapshot14_1609164553061.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/memory-dumps/Snapshot14_1609164553061.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c4d0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c4ed00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 13:41:31 UTC+0000
Image local date and time : 2020-12-27 05:41:31 -0800
2. Extract the TrueCrypt passphrase:
The TrueCrypt passphrase stored in memory is retrieved using a specific plugin ”truecryptpassphrase”. This step highlights the importance of volatile memory analysis in uncovering encryption keys
volatility.py -f Snapshot14_1609164553061.vmem --profile=Win7SP1x64 truecryptpassphrase
Volatility Foundation Volatility Framework 2.6.1
Found at 0xfffff8800512bee4 length 11: [REDACTED]
Output: [REDACTED]
