Advent of Cyber 2022 [Day 11]-Memory Forensics-Not all gifts are nice Write up
Advent of Cyber 2022 [Day 11] Memory Forensics Not all gifts are nice | Task 16 Answers Write-up and Walkthrough By Karthikeyan Nagaraj
What is Memory Forensics?
- Memory forensics is the analysis of the volatile memory that is in use when a computer is powered on.
- Computers use dedicated storage devices called Random Access Memory (RAM) to remember what is being performed on the computer at the time. RAM is extremely quick and is the preferred method of storing and accessing data.
Let’s Use Volatility for the Investigation!!
Volatility is a powerful tool used for analyzing memory dumps on Linux, Mac, and Windows systems.
You can download the Volatility tool Here!!
Task 16 — Memory Forensics-Not all gifts are nice
1. What is the Windows version number that the memory image captured?
Note: this initial scan may take up to 10 minutes to complete. Why not grab some water or stretch your legs?
Scan the Image for Information Gathering Purposes!! By using the Below Command,
python3 vol.py -f workstation.vmem windows.info
The Above scan will provide the basic Details from the Image.
We got the Results!
Ans: 102. What is the name of the binary/gift that secret Santa left?
python3 vol.py -f workstation.vmem windows.pslist
The Ps list in volatility is used to Scan and display the Process List from a Memory dump or an Image
Ans: mysterygift.ex3. What is the Process ID (PID) of this binary?
We Already Exploited the PID in the Above Question!!
Ans: 20404. Dump the contents of this binary. How many files are dumped?
Now Lets dump the Files Worked on the PID by Using the Below Command,
python3 vol.py -f workstation.vmem windows.dumpfiles --pid 2040
Ans: 16Thank you for Reading!!
Happy Hacking ~
Author : Karthikeyan Nagaraj ~ Cyberw1ngQueries:
THM , TryHackMe , TryHackMe Advent of Cyber 2022 , TryHackMe Advent of Cyber 4 Day 11, Ethical Hacking , Write up , Walk through , TryHackMe Advent of Cyber 2022 Day 11 Answers
