TryHackMe: Memory Forensics
TryHackMe: Memory Forensics by ahmedstefan
Task 1 Introduction
Perform memory forensics to find the flags. If you are having trouble, maybe check out the volatility room first.
Enjoy!
Please note: The size of the attached vmem file to download for each Task is large: 1.07 GB.
Here are some resources I used, check them out for more information:
Volatility: https://github.com/volatilityfoundation/volatility/
Volatility wiki: https://github.com/volatilityfoundation/volatility/wiki
Cheatsheet: https://book.hacktricks.xyz/forensics/volatility-examples
Room icon credit: https://book.cyberyozh.com/counter-forensics-anti-computer-forensics
Install Volatility
Download the zip from https://www.volatilityfoundation.org/releases for your operating system.
Linux
I download the zip, extract and put in /usr/local/bin
╰─○ wget http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip
--2021-04-04 22:05:07-- http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip
Resolving downloads.volatilityfoundation.org (downloads.volatilityfoundation.org)... 162.243.24.16
Connecting to downloads.volatilityfoundation.org (downloads.volatilityfoundation.org)|162.243.24.16|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://downloads.volatilityfoundation.org//releases/2.6/volatility_2.6_lin64_standalone.zip [following]
--2021-04-04 22:05:07-- https://downloads.volatilityfoundation.org//releases/2.6/volatility_2.6_lin64_standalone.zip
Connecting to downloads.volatilityfoundation.org (downloads.volatilityfoundation.org)|162.243.24.16|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14737820 (14M) [application/zip]
Saving to: ‘volatility_2.6_lin64_standalone.zip’
volatility_2.6_lin64_standalone.zip 100%[=======================================================================================>] 14.05M 4.85MB/s in 2.9s
2021-04-04 22:05:11 (4.85 MB/s) - ‘volatility_2.6_lin64_standalone.zip’ saved [14737820/14737820]
╰─○ unzip volatility_2.6_lin64_standalone.zip
Archive: volatility_2.6_lin64_standalone.zip
creating: volatility_2.6_lin64_standalone/
inflating: volatility_2.6_lin64_standalone/AUTHORS.txt
inflating: volatility_2.6_lin64_standalone/CREDITS.txt
inflating: volatility_2.6_lin64_standalone/LEGAL.txt
inflating: volatility_2.6_lin64_standalone/LICENSE.txt
inflating: volatility_2.6_lin64_standalone/README.txt
inflating: volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone
╰─○ sudo cp volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone /usr/local/bin/volatility
╰─○ sudo chmod +xr /usr/local/bin/volatility
╰─○ volatility
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : You must specify something to do (try -h)
Task 2 Login
The forensic investigator on-site has performed the initial forensic analysis of John's computer and handed you the memory dump he generated on the computer. As the secondary forensic investigator, it is up to you to find all the required information in the memory dump.
What is John's password?
Let's download the task file and take a look. First we need to figure out the profile we need to use.
╰─○ volatility imageinfo -f Snapshot6.vmem
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/tony/Downloads/Snapshot6.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c4a0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c4bd00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 06:20:05 UTC+0000
Image local date and time : 2020-12-26 22:20:05 -0800
From the above I choose Win7SP1x64
and start our investigation.
╰─○ sudo volatility -f Snapshot6.vmem --profile Win7SP1x64 hashdump --output-file=snapshot6.creds
Volatility Foundation Volatility Framework 2.6
Outputting to: snapshot6.creds
Now let's take a look if we have anything
╰─○ cat snapshot6.creds
Administrator:500:[REDACTED]:[REDACTED]:::
Guest:501:[REDACTED]:[REDACTED]:::
John:1001:[REDACTED]:[REDACTED]:::
HomeGroupUser$:1002:[REDACTED]:[REDACTED]:::
Ok, looks like we have some hashes
so let's break out john
and see if we can crack them.
╰─○ /opt/john-1.9.0-jumbo-1/run/john snapshot6.creds --wordlist=rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
[REDACTED] (John)
2g 0:00:00:01 DONE (2021-04-04 22:20) 1.818g/s 13039Kp/s 13039Kc/s 21390KC/s
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
Answer: [REDACTED] (John)
Task 3 Analysis
On arrival a picture was taken of the suspect's machine, on it, you could see that John had a command prompt window open. The picture wasn't very clear, sadly, and you could not see what John was doing in the command prompt window.
To complete your forensic timeline, you should also have a look at what other information you can find, when was the last time John turned off his computer?
Let's download the task file and identify the profile again.
╰─○ volatility imageinfo -f Snapshot19.vmem
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/tony/Downloads/Snapshot19.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002bfd0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002bfed00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 23:06:01 UTC+0000
Image local date and time : 2020-12-28 00:06:01 +0100
When was the machine last shutdown?
We have the shutdowntime Print ShutdownTime of machine from registry
option in volatility
that we can use
╰─○ sudo volatility -f Snapshot19.vmem shutdowntime --profile Win7SP1x64
Volatility Foundation Volatility Framework 2.6
Registry: SYSTEM
Key Path: ControlSet001\Control\Windows
Key Last updated: [REDACTED]
Value Name: ShutdownTime
Value: [REDACTED]
Answer: Value: [REDACTED]
What did John write?
Ok, now we need to look at what john
wrote in the console. Take not of the hint.
Question Hint
It's written between curly brackets: THM{XXXX}
So let's use console
this time
╰─○ sudo volatility -f Snapshot19.vmem consoles --profile Win7SP1x64
Volatility Foundation Volatility Framework 2.6
**************************************************
ConsoleProcess: conhost.exe Pid: 2488
Console: 0xffa66200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\System32\cmd.exe
Title: Administrator: C:\Windows\System32\cmd.exe
AttachedProcess: cmd.exe Pid: 1920 Handle: 0x60
----
CommandHistory: 0x21e9c0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 7 LastAdded: 6 LastDisplayed: 6
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x1fe3a0: cd /
Cmd #1 at 0x1f78b0: echo THM{[REDACTED]} > test.txt
Cmd #2 at 0x21dcf0: cls
Cmd #3 at 0x1fe3c0: cd /Users
Cmd #4 at 0x1fe3e0: cd /John
Cmd #5 at 0x21db30: dir
Cmd #6 at 0x1fe400: cd John
----
Screen 0x200f70 X:80 Y:300
Dump:
C:\>cd /Users
C:\Users>cd /John
The system cannot find the path specified.
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 1602-421F
Directory of C:\Users
12/27/2020 02:20 AM <DIR> .
12/27/2020 02:20 AM <DIR> ..
12/27/2020 02:21 AM <DIR> John
04/12/2011 08:45 AM <DIR> Public
0 File(s) 0 bytes
4 Dir(s) 54,565,433,344 bytes free
C:\Users>cd John
C:\Users\John>
Answer: Cmd #1 at 0x1f78b0: echo THM{[REDACTED]} > test.txt
Task 4 TrueCrypt
A common task of forensic investigators is looking for hidden partitions and encrypted files, as suspicion arose when TrueCrypt was found on the suspect's machine and an encrypted partition was found. The interrogation did not yield any success in getting the passphrase from the suspect, however, it may be present in the memory dump obtained from the suspect's computer.
What is the TrueCrypt passphrase?
Ok, so there are some truecrypt options
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
So let's double check the profile and try truecryptpassphrase
╰─○ sudo volatility -f Snapshot14.vmem imageinfo
#Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/tony/Downloads/Snapshot14.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c4d0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c4ed00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 13:41:31 UTC+0000
Image local date and time : 2020-12-27 05:41:31 -0800
Ok, so we should be good with the same profile, onto the passphrase...
╰─○ sudo volatility -f Snapshot14.vmem truecryptpassphrase --profile Win7SP1x64
Volatility Foundation Volatility Framework 2.6
Found at 0xfffff8800512bee4 length 11: [REDACTED]
Answer: Found at 0xfffff8800512bee4 length 11: [REDACTED]
Done
A nice little room to brush up on memory forensics.