TryHackMe: Memory Forensics by ahmedstefan

Task 1 Introduction

Perform memory forensics to find the flags. If you are having trouble, maybe check out the volatility room first.

Enjoy!

Please note: The size of the attached vmem file to download for each Task is large: 1.07 GB.

Here are some resources I used, check them out for more information:

Volatility: https://github.com/volatilityfoundation/volatility/

Volatility wiki: https://github.com/volatilityfoundation/volatility/wiki

Cheatsheet: https://book.hacktricks.xyz/forensics/volatility-examples

Room icon credit: https://book.cyberyozh.com/counter-forensics-anti-computer-forensics

Install Volatility

Download the zip from https://www.volatilityfoundation.org/releases for your operating system.

Linux

I download the zip, extract and put in /usr/local/bin

╰─○ wget http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip
--2021-04-04 22:05:07--  http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip
Resolving downloads.volatilityfoundation.org (downloads.volatilityfoundation.org)... 162.243.24.16
Connecting to downloads.volatilityfoundation.org (downloads.volatilityfoundation.org)|162.243.24.16|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://downloads.volatilityfoundation.org//releases/2.6/volatility_2.6_lin64_standalone.zip [following]
--2021-04-04 22:05:07--  https://downloads.volatilityfoundation.org//releases/2.6/volatility_2.6_lin64_standalone.zip
Connecting to downloads.volatilityfoundation.org (downloads.volatilityfoundation.org)|162.243.24.16|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14737820 (14M) [application/zip]
Saving to: ‘volatility_2.6_lin64_standalone.zip’

volatility_2.6_lin64_standalone.zip        100%[=======================================================================================>]  14.05M  4.85MB/s    in 2.9s    

2021-04-04 22:05:11 (4.85 MB/s) - ‘volatility_2.6_lin64_standalone.zip’ saved [14737820/14737820]

╰─○ unzip volatility_2.6_lin64_standalone.zip 
Archive:  volatility_2.6_lin64_standalone.zip
   creating: volatility_2.6_lin64_standalone/
  inflating: volatility_2.6_lin64_standalone/AUTHORS.txt  
  inflating: volatility_2.6_lin64_standalone/CREDITS.txt  
  inflating: volatility_2.6_lin64_standalone/LEGAL.txt  
  inflating: volatility_2.6_lin64_standalone/LICENSE.txt  
  inflating: volatility_2.6_lin64_standalone/README.txt  
  inflating: volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone  
 
 ╰─○ sudo cp volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone /usr/local/bin/volatility

╰─○ sudo chmod +xr /usr/local/bin/volatility

╰─○ volatility                              
Volatility Foundation Volatility Framework 2.6
ERROR   : volatility.debug    : You must specify something to do (try -h)

Task 2 Login

The forensic investigator on-site has performed the initial forensic analysis of John's computer and handed you the memory dump he generated on the computer. As the secondary forensic investigator, it is up to you to find all the required information in the memory dump.

What is John's password?

Let's download the task file and take a look. First we need to figure out the profile we need to use.

╰─○ volatility imageinfo -f Snapshot6.vmem
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/tony/Downloads/Snapshot6.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002c4a0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002c4bd00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-12-27 06:20:05 UTC+0000
     Image local date and time : 2020-12-26 22:20:05 -0800

From the above I choose Win7SP1x64 and start our investigation.

╰─○ sudo volatility -f Snapshot6.vmem --profile Win7SP1x64 hashdump --output-file=snapshot6.creds
Volatility Foundation Volatility Framework 2.6
Outputting to: snapshot6.creds

Now let's take a look if we have anything

╰─○ cat snapshot6.creds 
Administrator:500:[REDACTED]:[REDACTED]:::
Guest:501:[REDACTED]:[REDACTED]:::
John:1001:[REDACTED]:[REDACTED]:::
HomeGroupUser$:1002:[REDACTED]:[REDACTED]:::

Ok, looks like we have some hashes so let's break out john and see if we can crack them.

╰─○ /opt/john-1.9.0-jumbo-1/run/john snapshot6.creds --wordlist=rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
                 (Administrator)
[REDACTED]    (John)
2g 0:00:00:01 DONE (2021-04-04 22:20) 1.818g/s 13039Kp/s 13039Kc/s 21390KC/s      
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

Answer: [REDACTED] (John)

Task 3 Analysis

On arrival a picture was taken of the suspect's machine, on it, you could see that John had a command prompt window open. The picture wasn't very clear, sadly, and you could not see what John was doing in the command prompt window.

To complete your forensic timeline, you should also have a look at what other information you can find, when was the last time John turned off his computer?

Let's download the task file and identify the profile again.

╰─○ volatility imageinfo -f Snapshot19.vmem             
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/tony/Downloads/Snapshot19.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002bfd0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002bfed00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-12-27 23:06:01 UTC+0000
     Image local date and time : 2020-12-28 00:06:01 +0100

When was the machine last shutdown?

We have the shutdowntime Print ShutdownTime of machine from registry option in volatility that we can use

╰─○ sudo volatility -f Snapshot19.vmem shutdowntime --profile Win7SP1x64                   
Volatility Foundation Volatility Framework 2.6
Registry: SYSTEM
Key Path: ControlSet001\Control\Windows
Key Last updated: [REDACTED]
Value Name: ShutdownTime
Value: [REDACTED]

Answer: Value: [REDACTED]

What did John write?

Ok, now we need to look at what john wrote in the console. Take not of the hint.

 Question Hint
 It's written between curly brackets: THM{XXXX}

So let's use console this time

╰─○ sudo volatility -f Snapshot19.vmem consoles --profile Win7SP1x64
Volatility Foundation Volatility Framework 2.6
**************************************************
ConsoleProcess: conhost.exe Pid: 2488
Console: 0xffa66200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\System32\cmd.exe
Title: Administrator: C:\Windows\System32\cmd.exe
AttachedProcess: cmd.exe Pid: 1920 Handle: 0x60
----
CommandHistory: 0x21e9c0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 7 LastAdded: 6 LastDisplayed: 6
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x1fe3a0: cd /
Cmd #1 at 0x1f78b0: echo THM{[REDACTED]} > test.txt
Cmd #2 at 0x21dcf0: cls
Cmd #3 at 0x1fe3c0: cd /Users
Cmd #4 at 0x1fe3e0: cd /John
Cmd #5 at 0x21db30: dir
Cmd #6 at 0x1fe400: cd John
----
Screen 0x200f70 X:80 Y:300
Dump:
                                                                                
C:\>cd /Users                                                                   
                                                                                
C:\Users>cd /John                                                               
The system cannot find the path specified.                                      
                                                                                
C:\Users>dir                                                                    
 Volume in drive C has no label.                                                
 Volume Serial Number is 1602-421F                                              
                                                                                
 Directory of C:\Users                                                          
                                                                                
12/27/2020  02:20 AM    <DIR>          .                                        
12/27/2020  02:20 AM    <DIR>          ..                                       
12/27/2020  02:21 AM    <DIR>          John                                     
04/12/2011  08:45 AM    <DIR>          Public                                   
               0 File(s)              0 bytes                                   
               4 Dir(s)  54,565,433,344 bytes free                              
                                                                                
C:\Users>cd John                                                                
                                                                                
C:\Users\John>

Answer: Cmd #1 at 0x1f78b0: echo THM{[REDACTED]} > test.txt

Task 4 TrueCrypt

A common task of forensic investigators is looking for hidden partitions and encrypted files, as suspicion arose when TrueCrypt was found on the suspect's machine and an encrypted partition was found. The interrogation did not yield any success in getting the passphrase from the suspect, however, it may be present in the memory dump obtained from the suspect's computer.

What is the TrueCrypt passphrase?

Ok, so there are some truecrypt options

	truecryptmaster	Recover TrueCrypt 7.1a Master Keys
	truecryptpassphrase	TrueCrypt Cached Passphrase Finder
	truecryptsummary	TrueCrypt Summary

So let's double check the profile and try truecryptpassphrase

╰─○ sudo volatility -f Snapshot14.vmem imageinfo                                 
#Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/tony/Downloads/Snapshot14.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002c4d0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002c4ed00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-12-27 13:41:31 UTC+0000
     Image local date and time : 2020-12-27 05:41:31 -0800

Ok, so we should be good with the same profile, onto the passphrase...

╰─○ sudo volatility -f Snapshot14.vmem truecryptpassphrase --profile Win7SP1x64
Volatility Foundation Volatility Framework 2.6
Found at 0xfffff8800512bee4 length 11: [REDACTED]

Answer: Found at 0xfffff8800512bee4 length 11: [REDACTED]

Done

A nice little room to brush up on memory forensics.