Welcome back guys to another blog on the advent of cyber 2022 with another task. We have covered ten days of AOC. Pretty amazing, right? Now let's do today's task also. Without any further delay, let's move to today's task.
Not all gifts are nice
This task is mainly focusing on Memory forensics. What is this? Memory forensics is the analysis of the volatile memory that is in use when a computer is powered on. As you know, Volatile memory got erased once the computer is turned off. So it is very necessary to first give priority to volatile memory. An example of volatile memory is RAM. We can analyse a computer's memory to see what applications (processes), what network connections were being made, and many more useful pieces of information. For example, we can analyse the memory of a computer infected with malware to see what the malware was doing at the time. I saw a very good example in today's tryhackme task. Let's think about cooking. You normally store all of your food in the fridge - a hard drive is this fridge. When you are cooking, you will store ingredients on the kitchen counter so that you can quickly access them, but the kitchen counter (RAM) is much smaller than a fridge (hard drive).
The tool which we are going to use in this task is volatility. Volatility is an open-source memory forensics toolkit written in Python. Volatility allows us to analyse memory dumps taken from Windows, Linux and Mac OS devices and is an extremely popular tool in memory forensics. So there are some important flags for volatility.
Option | Description | Example |
-f | This argument is where you provide the name and location of the memory dump that you wish to analyse. | python3 vol.py -f /path/to/my/memorydump.vmem |
-v | This argument increases the verbosity of Volatility. This is sometimes useful to understand what Volatility is doing in cases of debugging. | python3 vol.py -v |
-p | This argument allows you to override the default location of where plugins are stored. | python3 vol.py -p /path/to/my/custom/plugins |
-o | This argument allows you to specify where extracted processes or DLLs are stored. | python3 vol.py -o /output/extracted/files/here |
I will explain the syntax of this tool in today's task. Let's do this.
Question1
We are going to use the windows.info plugin. First of all, move to volatility3 directory by cd command.
Our memory dump here is workstation.vmem .
Let's find out the window's version number. The syntax will be:
python3 vol.py -f workstation.vmem windows.info
Can you see the parameter MajorOperatingSystemVersion. It means they are giving us the version of windows which is 10.
Question2
For this, we are going to use windows.pslist plugin. This plugin lists all of the processes that were running at the time of the capture.
The syntax for this will be :
python3 -f workstation.vmem windows.pslist
Got so many result. Try to find the gift. Well! I found that.
Question3
The plugin will be windows.psscan but no need to excecute any command. You can see the process id in the above question only. It is 2040.
Question4
The plugin for this question will be windows.dumpfiles. We need to specify the pid also .
The syntax is :
python3 vol.py -f workstation.vmem windows.dumpfiles --pid 2040
Count the number of files and you will get the answer.
Question5
They are recommending you to complete the Digital Forensics and Incident Response module.
Congratulations !! we completed this task. New task will be added tomorrow. Till then you can follow me here for upcoming blogs on the advent of cyber 2022. In the end, you will get a certificate from tryhackme for completing this challenge.
Keep learning and keep spreading Knowledge.