Forensics — Memory Analysis with Volatility

Volatility Logo

Recently, I’ve been learning more about memory forensics and the volatility memory analysis tool. To get some more practice, I decided to attempt the free TryHackMe room titled “Forensics”, created by Whiteheart. This article presents my approach for solving this room using Volatility and I have also provided a link to TryHackMe at the end for anyone interested in attempting this room.

Disclaimer

I like to add a brief disclaimer before a writeup to encourage people to attempt the room before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the CTF more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!

What is Volatility?

Volatility is an open-source memory forensics framework for incident response and malware analysis. This is a very powerful tool and we can complete lots of interactions with memory dump files, such as:

• List all processes that were running.
• List active and closed network connections.
• View internet history (IE).
• Identify files on the system and retrieve them from the memory dump.
• Read the contents of notepad documents.
• Retrieve commands entered into the Windows Command Prompt (CMD).
• Scan for the presence of malware using YARA rules.
• Retrieve screenshots and clipboard contents.
• Retrieve hashed passwords.
• Retrieve SSL keys and certificates.

If you are interested in learning more, I have provided a link to the Volatility Framework website, the Volatility Framework Github and a Volatility Framework cheatsheet by HackTricks below:

The Volatility Foundation - Open Source Memory Forensics

GitHub - volatilityfoundation/volatility: An advanced memory forensics framework

Volatility - CheatSheet

Task 1: Volatility Forensics

1. What is the Operating System of this Dump file? (OS name)

Volatility needs profiles to work. When we have the memory image file we want to analyze, we first need to use the command see below:

$ volatility -f victim.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/kali/Downloads/Capture-The-Flag/Forensics/victim.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800028420a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002843d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-05-02 18:11:45 UTC+0000
     Image local date and time : 2019-05-02 11:11:45 -0700

Once this command is run, Volatility will identify the system the memory image was taken from, including the operating system, version, and architecture. Volatility will suggest the recommended profile and when running any other command on this memory image we need to provide the profile as well. The suggested profile is Win7SP1x64 and we can therefore say that the OS of this dump file is Windows.

2. What is the PID of SearchIndexer?

We can identify the process ID (PID) of the SearchIndexer process, by using the pslist plugin provided by volatility. We will use the profile Win7SP1x64 identified earlier and specify the pslist plugin, as seen in the command below:

volatility -f victim.raw --profile=Win7SP1x64 pslist

Looking through the output, we can see the SearchIndexer process and it’s PID:

Volatility “pslist” plugin output.

3. What is the last directory accessed by the user? (The last folder name as it is?)

For this question, we are provided a hint which states:

Why don’t you search a bag full of shells in your backyard?

This hint refers to the Shellbags plugin for Volatility. This plugin parses and prints Shellbag (pdf) information obtained from the registry. More information can be found about this plugin using the link below:

MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes

Using this plugin, we can identify files, folders, zip files and installers that existed at one point on the system (even if deleted), as well as there Metadata (timestamps and absolute paths).

volatility -f victim.raw --profile=Win7SP1x64 shellbags

We can look down through the output, and based on the Access Date field, identify the last directory accessed by the user. After some searching, I found the following directory:

Volatility “shellbags” plugin output.

Task 2: Volatility Forensics (Contd.)

4. There are many suspicious open ports; which one is it? (ANSWER format: protocol:port)

We can use the netscan plugin to identify network connections:

volatility -f victim2.raw --profile=Win10x64_17134 netscan

This returns a large number of network connections but it is difficult to identify which ones are suspicious based on this output alone. To narrow down my options, I decided to use the malfind plugin to detect any code injections:

Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation.

volatility -f victim2 --profile=Win7SP1x64 malfind

The output from the malfind plugin may contain false positives. The plugin found 3 malicious PIDs where code injection was detected (i.e. 1860, 1820 and 2464):

Process: explorer.exe Pid: 1860 Address: 0x3ee0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Process: explorer.exe Pid: 1860 Address: 0x3f90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Process: svchost.exe Pid: 1820 Address: 0x24f0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Process: svchost.exe Pid: 1820 Address: 0x4d90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Process: wmpnetwk.exe Pid: 2464 Address: 0x280000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE

Looking back at the output for network connections, I can see a network connection for wmpnetwk.exe (PID 2464), marking it as suspicious and the answer for this question:

Volatility “netscan” plugin output.

5. Vads tag and execute protection are strong indicators of malicious processes; can you find which they are? (ANSWER format: Pid1;Pid2;Pid3)

We have already answered this question while trying to answer question 4 above. We can find the three malicious process IDs (PID) by using the malfind plugin, as seen earlier above.

Task 3: IoC SAGA

Task Description:

In the previous task, you identified malicious processes, so let’s dig into them and find some Indicator of Compromise (IOC). You just need to find them and fill in the blanks (You may search for them on VirusTotal to discover more details).

We identified 3 malicious processes earlier. We can use the memdump plugin to extract everything about the current status of the processes:

volatility -f victim3.raw --profile=Win7SP1x64 memdump -p 2464 -D 2464/

6. ‘www.go****.ru' (write full url without any quotation marks)

7. ‘www.i****.com' (write full url without any quotation marks)

8. ‘www.ic******.com'

We can answer the next three questions by using the strings command and grep command to filter for URLs:

# Question 6
strings 2464.dmp 1860.dmp 1820.dmp | grep "www" | grep "go" | grep "ru"
# Question 7
strings 2464.dmp 1860.dmp 1820.dmp | grep "www.i" | grep "com"
# Question 8
strings 2464.dmp 1860.dmp 1820.dmp | grep "www.ic"

9. 202.***.233.*** (Write full IP)

10. ***.200.**.164 (Write full IP)

11. 209.190.***.***

Similar to above, we can answer the next three questions by using the strings command and grep command to filter for IP addresses:

# Question 9
strings 2464.dmp 1860.dmp 1820.dmp | grep "202." | grep "233."
# Question 10
strings 2464.dmp 1860.dmp 1820.dmp | grep ".200" | grep ".164"
# Question 11
strings 2464.dmp 1860.dmp 1820.dmp | grep "209" | grep ".190"

12. What is the unique environmental variable of PID 2464?

We can use the plugin envars to get the environment variables for PID 2464:

volatility -f ../victim3.raw --profile=Win7SP1x64 envars -f 2464.dmp -p 2464

Looking at the output, we can see a unique environment variable:

Volatility “envars” plugin output.

Closing Remarks

I really enjoyed working through this room and getting the opportunity to learn more about the Volatility open-source memory forensics framework. Thank you for reading till the end and keep hacking 😄!

TryHackMe | Cyber Security Training