Windows Memory Forensics: DumpMe (CyberDefenders)
This write-up is going to be different from my previous ones. For this challenge, we are going to take some time to explain how certain commands for Volatility work. The goal being, that we walk away with a better understanding of our tools work, not merely how to get the answers. To prevent this article from becoming unnecessarily long, certain details are going to be omitted and possibly discussed in the follow-on video walk-through.
Question 1 — What is the SHA-1 hash of the memory dump:
Hashing plays a vital role in information security. With regards to forensics, it can assist in determining if any digital evidence has been corrupted or otherwise manipulated in some way. It accomplishes this task by taking input and creating a one-way hash digest of the original message. In the case of SHA-1, or Secure Hashing Algorithm 1, it will produce a 20-byte product in hexadecimal values. Therefore, any alteration to the original data — intentional or not — will produce a different digest. Linux can easily produce the hash value of an object by simply running: sha1sum [file].
Question 2 — What profile is the most appropriate for the image:
In the screenshot above, I reference a file called imageinfo.txt. This information comes from running the command vol imageinfo and it produces one of the most basic pieces of information required to successfully use Volatility; the image profile.
Profiles are what allow Volatility to make sense of the underlying data structures, algorithms, and symbols of the forensic image. It is able to determine the OS, build number, and service pack from Windows machines by analyzing the kernel debugger data (KDBG). There is an additional plugin that is worth noting here called: kdbgscan. This command prints more information about KDBG than what imageinfo produces and can help move the investigation forward if imageinfo fails scan. The important things to take away from kdbgscan are the PsLoadedModuleList,PsActiveProcessHead, and the OS discovered.
NOTE: it’s important to understand that the information contained in KDBG can be altered by malware or malicious actors to deter forensic investigations without impacting the functional ability of the machine. Additionally, if the system applied a patch without rebooting, automatic scans might return multiple profiles. If
imageinfofails for whatever reason, usekdbgscanto determine the correct profile by comparing the loaded processes and modules. If there are no processes or loaded modules, it’s a safe bet that’s not the right profile.
Questions 3 & 4 — What is the PID of notepad.exe, What is the child process of wscript.exe:
One of the most basic steps for investigating memory, is figuring out: what processes are running, with what privilege level, and what it is that they are doing. It is also important to understand which processes are normal system functions, where on the file system they are normally housed, and what the normal parent/child process associations should be. Volatility comes shipped with a few different methods of determining running processes. I will briefly mention 3 that are found in both Volatility3 and the older version of Volatility.
For example,
csrss.exeis not a malicious process, but it might be suspicious if it is not located in System32. As another example,svchost.exeprocess that is not a child process ofservices.execould be considered suspicious.
Two of the three are essentially the same command, pslist and pstree. The difference between the two is that pslist will simply list in the processes and pstree will print the information in a way that is easy to discern parent/child relationships. Both plugins rely on reading and following ActiveProcessLinks which is a doubly linked data structure. The downside with these two commands is that it will not show terminated or otherwise hidden processes. We can find our answers by running vol pstree:
NOTE: if we wanted to find hidden or terminated processes, we would need to run
psscan. Since this command doesn’t use linked lists likepslist/pstree, it uses the Windows Executive Object_EPROCESSto find processes. If we run it against our current memory dump, we will find that there was one terminated process that we didn’t see when we ranpstree.
Questions 5,6,16 — What is the IP address of the host and what is the IP of the attacker:
The majority of malware today will use active network connections to: exfiltrate data, listen for follow-on commands from a command and control server, download more malware, move laterally, and so on. It’s, therefore, important to check for network connections with suspected malicious processes.
NOTE: if we needed to determine that a process is associated with network activity, we can check the handles of the process and the child-process (
cmd.exe).
Here we can see that the malicious looking process (PID 3496) appears to be using
\Device\Afd\Endpointwhich is a clue that it has networking capabilities. We also see the handle IDs that are shared with its child-process (PID 4660).
We can easily list network connections with netscan.
Here we see the host IP:Port in the third column and the attacker IP:Port in the fourth.
Question 7 — How many processes are associated with VCRUNTIME140.dll:
To determine which processes are using a specific DLL, we can use dlllist. This command will use the Process Environment Block to find this information.
Question 8 — What is the md5 hash of the suspected process:
To dump a process we use procdump. All we need to do is give it the PID and output directory.
Question 9 — What is the LM hash for Bob’s account:
Here we can just use hashdump. The third section is going to contain the LM hash.
Question 10 & 11 — What are the memory protections for the listed VADs:
Virtual Address Descriptors contain information about a process’ memory segments. Of the information that’s potentially stored in VAD structures, we can find memory protections. These values determine read, write, and/or execute attributes for a given object.
Question 12 — What is the name of the VBS script that was ran:
If we check to see what was ran on the command line, we will see that wscript.exe was used to run the VBS script.
Question 13 — What program ran at 2019–03–07 23:06:58 UTC:
To get the answer here, we need to reference the Application Compatibility Cache, also known as: shimcache. The cache stores file metadata for files that were executed or actively browsed.
Question 14 — What was written in notepad.exe:
Here we can just dump the memory associated with notepad.exe. Once you dump the memory, run strings and grep for the flag.
Question 15 — What is the short name for the file at record 59045:
The Windows NTFS file system will store data about every file on the system in the Master File Table. We can easily parse through the MFT of an image by using the mftparser plugin.
