TryHackMe — Analysing Volatile Memory — Writeup
Key points: Volatile Memory | PageFile | Crash dump | Windows Forensics | hiberfil.sys | pagefile.sys | vol.exe | Reliability Monitor | WinDbg | FTK Imager | Bulk Extractor | Process Environment Block | PEB | Hibernation Recon | PowerShell.
Analysing Volatile Memory by awesome TryHackMe! 🎉
Hi All.
First, quick introduction. Mentioned Room is Premium type.
It’s worth considering being a premium user, more info here: https://tryhackme.com/why-subscribe
It would be great for you to be more familiar with these topics, so please visit the Room https://tryhackme.com/r/room/analysingvolatilememory to get more details. ✨ I encourage you to do the tasks on your own.
These tasks are well-prepared, so I will try to not repeat the content. You have there what you need, but I want to share some additional helpful and useful resources.
Tip: if you stuck with some task — please take your time, don’t be in hurry. Let’s be a more familiar with mentioned tools, make steps again etc.
Task 1 — Introduction
Get ready! 🚀
Task 2 — Lab Connection
Q: Connect to the Lab. How many tools are present in the EZ tools folder on the Desktop?
A: 12
Task 3 — Managing Volatile Data — An Overview
Q: What is the default page size (in KB) in most Operating systems?
A: 4
Q: What is the name of the hibernation file?
A: hiberfil.sys
Q: Which file is considered as the extension of the RAM?
A: pagefile.sys
Additional sources:
https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/introduction-to-the-page-file
Task 4 — PageFile: Overview
Q: Which Registry Hive contains the information about the pagefile?
A: SYSTEM
Q: Examine the domain-histrogram. Which domain associated with distributing Malware has occurred 192 times? Defang the domain.
A: 3z[.]nu
Q: Check the domain on VirusTotal; What is the verdict about this suspicious-looking domain?
A: malware
Task 5 — Hybernation File
Q: At the time of hibernation, which network scanning tool was running?
A: Wireshark
Q: What is the process ID associated with the network scanning tool?
A: 5604
Q: Examine the command lines executed on this host; which data wiping tool was executed on the host?
A: DiskWipe.exe
Q: What is the full path, from which the data wiping tool was executed?
A: C:\Users\Administrator\Downloads\Tools\DiskWipe.exe
Additional sources:
https://www.wireshark.org/
https://www.diskwipe.org/
Task 6 — Crash Dump: Overview
Q: What is the value of CrashDumpEnabled field in the Registry?
A: 1
Q: Examine the Reliability Monitor chart. What is the report ID of the last crash dump?
A: cf3767cb-2cdf-4b9a-b6e1-c222d4fd192d
Q: How many times the system has reported critical events in the past?
A: 7
Q: What is the default path set for placing the crash dump in the settings?
A: %SystemRoot%\MEMORY.DMP
Task 7 — Analysing Crash Dump
Q: Which application was responsible for the first crash?
A: myfault
Q: What is the process ID associated with a suspicious-looking process called evil.exe?
A: 1970
Q: Which command can be used to find the exact time of the crash?
A: !time
🚩 Flag
Q: One of the variables in PEB contains a secret flag; what is the value of the flag?
A: THM{__ITS_FUN_T0_Learn_at_THM__}
Additional sources:
https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/generate-a-kernel-or-complete-crash-dump
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/crash-dump-files
https://github.com/volatilityfoundation/volatility3
https://github.com/MicrosoftDocs/windows-driver-docs/blob/staging/windows-driver-docs-pr/debugger/getting-started-with-windbg.md
https://www.exterro.com/digital-forensics-software/forensic-toolkit
https://arsenalrecon.com/products/hibernation-recon
https://en.wikipedia.org/wiki/Process_Environment_Block
https://learn.microsoft.com/en-us/powershell/
I hope you enjoy! 🍀
#VolatileMemory #PageFile #CrashDump #WindowsForensics #hiberfil.sys #pagefile.sys #vol.exe #ReliabilityMonitor #WinDbg #FTKImager #BulkExtractor #ProcessEnvironmentBlock #PEB #HibernationRecon #PowerShell #writeup #hacking #ITsecurity #THM #TryHackMe
Best wishes,
