Forensic

Task 1: Volatility Forensics Link to Task 1: Volatility Forensics

The provided file is a memory dump of an infected system. Download the attached file to begin your analysis. For this lab, we are using Volatility version 2 for analysis.

Question 1: What is the Operating System of this Dump File? Link to Question 1: What is the Operating System of this Dump File?

To determine the operating system of the memory dump, we can utilize the imageinfo or kdbgscan plugins. These plugins assist in identifying the OS profile for the dump file.

1
2

vol2.py -f victim.raw imageinfo
vol2.py -f victim.raw kdbgscan

Both commands revealed that the dump corresponds to a Windows 7 SP1 64-bit (Win7SP1x64) system.

Question 2: What is the PID of SearchIndexer? Link to Question 2: What is the PID of SearchIndexer?

To identify the PID of the SearchIndexer process, we can examine the list of processes using various plugins. The relevant ones for listing processes include:

1
2
3
4

volatility --profile=PROFILE pstree -f file.dmp  # Get process tree (not hidden)
volatility --profile=PROFILE pslist -f file.dmp  # Get process list (EPROCESS)
volatility --profile=PROFILE psscan -f file.dmp  # Get hidden processes (malware)
volatility --profile=PROFILE psxview -f file.dmp  # Get hidden processes

In this case, the hint suggests examining terminated or hidden processes. We can use the vol2.py -f victim.raw --profile=Win7SP1x64 psxview plugin to identify the PID of SearchIndexer.

1

vol2.py -f victim.raw --profile=Win7SP1x64 psxview

From the output, we can find the SearchIndexer process with PID 2180.

Question 3: What is the last directory accessed by the user? Link to Question 3: What is the last directory accessed by the user?

To identify the last directory accessed by the user, the hint refers to searching for “a bag full of shells in your backyard.” This suggests using the shellbags plugin.

1

vol2.py -f victim.raw --profile=Win7SP1x64 shellbags

The Shellbags plugin helps identify recently accessed directories and files from the Windows registry. By analyzing the output, we find that the last accessed directory is deleted_files.

Task 2 Link to Task 2

Dig a little more…

Question 4: There are many suspicious open ports; which one is it? (ANSWER format: protocol:port) Link to Question 4: There are many suspicious open ports; which one is it? (ANSWER format: protocol:port)

To identify suspicious open ports, we can use the netscan plugin to check for network connections.

1

vol2.py -f victim.raw --profile=Win7SP1x64 netscan

From the output, we can identify that the suspicious open port is tcp:5005.

Question 5: Vads tag and execute protection are strong indicators of malicious processes; can you find which they are? (ANSWER format: Pid1;Pid2;Pid3) Link to Question 5: Vads tag and execute protection are strong indicators of malicious processes; can you find which they are? (ANSWER format: Pid1;Pid2;Pid3)

This question is askingus to find a malicious processes, i was very sure there is a plugin for this, so i make google search Therefore we can use the malfind plugin to identify suspicious processes.

1

vol2.py -f victim.raw --profile=Win7SP1x64 malfind | grep Process:

The output reveals that the malicious processes are associated with PIDs 1860, 1820, and 2464.

Task 3: IOC SAGA Link to Task 3: IOC SAGA

In the previous task, we identified malicious processes. Now, let’s dig deeper into these processes and extract Indicators of Compromise (IOCs). You will need to find these IOCs and fill in the blanks. For better analysis, we’ll start by extracting memory dumps from the identified malicious processes.

1
2
3

vol2.py -f victim.raw --profile=Win7SP1x64 memdump --pid=1860 --dump-dir=./
vol2.py -f victim.raw --profile=Win7SP1x64 memdump --pid=1820 --dump-dir=./
vol2.py -f victim.raw --profile=Win7SP1x64 memdump --pid=2464 --dump-dir=./

Now, let’s answer the IOC-related questions.

We can obtain all domains by running the following command:

1

strings -n 8 1820.dmp 1860.dmp 2464.dmp | grep -Eo 'www\.go[^.]*\.ru|www\.i[^.]*\.com|www\.ic[^.]*\.com'

This command will extract domain names associated with the identified processes.

Question 6: ‘www.go****.ru’ (write full URL without any quotation marks) Link to Question 6: ‘ ’ (write full URL without any quotation marks)

Question 7: ‘www.i****.com’ (write full URL without any quotation marks) Link to Question 7: ‘ ’ (write full URL without any quotation marks)

Question 8: ‘www.ic******.com’ Link to Question 8: ‘ ’

For the IP addresses, we can use the following command:

1

strings -n 8 1820.dmp 1860.dmp 2464.dmp | grep -Eo '202\.[0-9]{1,3}\.233\.[0-9]{1,3}|[0-9]{1,3}\.200\.[0-9]{1,3}\.164|209\.190\.[0-9]{1,3}\.[0-9]{1,3}'

Question 9: 202..233. (Write full IP) Link to Question 9: 202. (Write full IP)

Question 10: *.200..164 (Write full IP) Link to Question 10: * .164 (Write full IP)

Question 11: 209.190.. Link to Question 11: 209.190.

Question 12: What is the unique environmental variable of PID 2464? Link to Question 12: What is the unique environmental variable of PID 2464?

We can use the envars plugin with the -p flag to extract the unique environmental variable of the given PID. by given the -p 2464 we can get the variable name

1

vol2.py -f victim.raw --profile=Win7SP1x64 envars -p 2464

Conclusion Link to Conclusion

Through the use of Volatility plugins, we successfully analyzed the memory dump of a compromised Windows system, identifying key indicators of compromise, including suspicious processes, open ports, and domains. By leveraging memory analysis tools, we were able to extract crucial information, contributing to a deeper understanding of the attack and its impact.