TryHackMe
Forensics —Writeup
This is a memory dump of the compromised system, do some forensics kung-fu to explore the inside.
Task 1 : Volatility Forensics
- Download the victim.zip
- What is the Operating System of this Dump file? (OS name)
Ans: windows
3. What is the PID of SearchIndexer?
Ans: 2180
4. What is the last directory accessed by the user?
( The last folder name as it is?) Search using Date and time
Use shellbags command to Find for the Directory
./volatility -f victim1.raw --profile=Win7SP1x64 shellbags
Ans: Deleted_files
Task 2
- There are many suspicious open ports; which one is it? (ANSWER format: protocol:port)
The First One’s Protocol and Port
Ans: UDP:5005
2. Vads tag and execute protection are strong indicators of malicious processes; can you find which they are? (ANSWER format: Pid1;Pid2;Pid3)
The First 3 PID we Found is the Answer
Ans: 1860;1820;2464
Task 3 — IOC Saga
1. ‘www.go****.ru' (write full url without any quotation marks)
Ans: www.goporn.ru
2. ‘www.i****.com' (write full url without any quotation marks)
Ans: www.ikaka.com
3. ‘www.ic******.com'
Ans: www.icsalabs.com
4. 202.***.233.*** (Write full IP)
Ans: 202.107.233.211
5. ***.200.**.164 (Write full IP)
Ans: 209.200.12.164
6. 209.190.***.***
Ans: 209.190.122.186
7. What is the unique environmental variable of PID 2464?
Ans: Answer is Highlighted in the above Picture
Thankyou For Reading!!!Happy Hacking!!Author — Karthikeyan N | Cyberw1ng