Part 1: Forensic memory analysis using Volatility 3
Activity 1: Identifying OS Information
Dump analysis helps determine the OS profile. It is important to know the information about the operating system that was in use prior to the investigation. The command “-f” is used to specify the file and also specify the plugin required, in this case it is windows.info.
- Copy the folder “MemoryForensics” into the virtual machine desktop.
- Open the terminal and ensure volatility is installed.
- Once installed, copy the “stuxtnet” folder from the “MemoryForensic” directory into the “volatility3” directory.
- Next, navigate into the volatility3 directory in your terminal and use the following command to obtain the OS information: Questions:
- What is the operating system of the dumped machine?Answer: Windows XP SP3
- What was the system date and time of the dumped machine? (Answer should be in the format YY- MM – DD_HH: MM: SS Timestamp in UTC)Answer: 2011-06-03 04:31:36
Walkthrough:
Looking through the info command, we learned that the machine’s operating system is XP SP3 and other information such as the system time which 2011-06-03 04:31:26.
Activity 2: Identifying Malicious Process.
When a system is in an active state, there are multiple processes running in the background, which can be found in volatile memory. This includes hidden processes that can be parsed from a memory dump and recently terminated processes before reboot. Looking at the running processes of a device is a great way to identify any malware that may be running on the device. Below are few commands in Volatility 3 that can be used to analyse running processes.
pslist
You can use this function to take a look at the process names and see if there is anything interesting that catches your attention and simply google the name. This will help to quickly understand if it is something that’s legitimate or requires further attention.
pstree
You can use this function to get an idea of what process spawned another process. It makes it easier to spot suspicious process activity as you can see what process was launched e.g. ‘explorer.exe’ or ‘service.exe’ and see if the process is legitimate. Using pstree is a great way to spot these malicious processes masquerading as legitimate Windows processes. Windows processes will always run from set locations on disk and their parent process tends to be a set process.
Questions:
- How many lsass.exe process is running?
Answer: 3 - What is the difference between PID and PPID?
Answer: PID – Process ID number PPID – Parent process ID number - List the PIDs of these lsass.exe files?
Answer: 680, 868, 1928 - State the timestamp of the PPID 624? (Answer should be in the format YY- MM – DD_HH: MM: SS Timestamp in UTC)
Answer: 2010-10-29 17:08:54 - How many running processes was kick off by service.exe?
Answer: 2Walkthrough:
Looking through the pslist command, there are 3 lsass.exe process running in the system. You can use the pstree command to identify parent-child relation for processes.
Looking through the pstree command, there are 2 lsass.exe started by service.exe while normally it should be a single instance. You can see process 1928 is suspicious because lsass process must be child of the winlogon process. The order of the ‘PID’ column is now sorted by a process and its associated child processes. However, to make the visualization clearer for the user, each child process is assigned a ‘*’ before its PID, each subsequent child process receives and additional ‘*’ prefixed to the PID.
Activity 3: Searching for malware signature
Malfind command can be used to displays a list of processes that Volatility suspects may contain hidden and injected code. Basically, it finds for a suspicious VAD region based on the header information displayed in hex, the permissions, and some extracted assembly code in a process. The following command in volatility 3 can be used to look for possible injected code.
Questions:- Does the ‘malfind’ command of PID 680 provides any output? Answer: No
- List the VAD memory region of PID 1928 that is suspicious?
Answer: 0x80000 0xf9fff , 0x1000000 0x1005ff , 0x870000 0x9a7fff - How many suspicious VAD memory regions does PID 868 have?Answer: 2.
Walkthrough:
Looking through the “mandfind” command for PID 680, there were no output found.
Looking through the “mandfind” command for PID 1928, there were 3 suspicious VAD memory region was found. The VAD memory region is as marked in red above.
Looking through the “mandfind” command for PID 868, there were 3 suspicious VAD memory region was found.
Part 2: Extracting Files using Volatility 3
Activity 1: Extracting database and password from memory dump
- Copy the “Lab2” folder from the “MemoryForensic” directory into the “volatility3” directory.
- Next, navigate into the volatility3 directory in your terminal and start analysing the machine dump by obtaining the OS information.
Questions:
-
What is the OS version of the machine dump?
Answer: Windows7 SP1
-
State the year the dump was created?
Answer: 2019
Walkthrough:
-
Identify active running process by using the pslist command. (Hint: Look for running process related to password manager).
Question:
-
What is the file name and PID of the password manager process?
Answer: KeePass.exe (3008)
Walkthrough
-
Run the following command to locate the database file of the password manager within the memory dump. (Hint: …UsersSmartNetSecretsHidden.xxxx).
Questions:- What is the database extension of the password manager?Answer: .kdbx
- What is the offset address of database file?Answer: 0x3fb112a0Walkthrough:
- What is the operating system of the dumped machine?Answer: Windows XP SP3
- Next, extract the database file using the below command to a new directory of your choice.
- Subsequently, use the filescan command below to find files related to password (Hint: it is a .png file).Questions:
- What is the filename of the .png file?Answer: Password.png
- What is the offset address of database file?Answer: 0x3fce1c70Walkthrough:
- Similarly, use the command in step 5 to extract the .png file and open it to obtain the password.
Question:- What is the password written on the .png file?Answer: P4SSw0rd_123Walkthrough:
- Open the database extracted in step 5 using the relevant password manager programme (google for installation guidance). When opened, you will be prompt to enter the password. Enter the password extracted in step 7 to unlock the flag.Question:
-
What is the hidden message in the flag?
Answer: flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!}
Walkthrough:
With the password obtained on the Password.png file open the database using KeePass2 Software. For guidance on how to install the KeePass2 software on kali linux, refer here.
Upon unlocking the database, navigate to the “recycle bin” folder and you come across the key with username Flag.
Write click on the key with username “Flag” to copy the password. Next paste it on a notepad file to read the hidden message in the flag.Next, paste it on a notepad file to read the hidden message in the flag.
-