Class 15: File and Memory Dump Forensics
What are memory dumps?
Memory dumps are created when the host device crashes. When your device crashes and says “gathering some info” it is creating a memory dump and sending it to Microsoft. In the world of cyber security, being able to parse and understand data from memory dumps is a valueable skill to have hence why it was converted into CTF problems.
What tools will we be using?
For this course, we will teach Volatility. There may be other tools, but 99% of writeups on CTF-Time use this tool. You also need to download this file to run Volatility on.
Getting Familiar with volatility
We’re going to start on OtterCTF’s memory forensics challenges in order to get used to using Volatility. Create a quick account and navigate to the memory challenges. You should already have the file on your virtual machine in /JPMC/
House-keeping before we begin
.vmem files are VMWare memory dumps, this is not always the file extension dumps will use. Most times it will be a .dmp file.
These are a few steps you should always take when dealing with a memory-dump file.
volatility -f OtterCTF.vmem imageinfo
This will tell us what the suggested profile is that we should use. The profile is based on what OS volatility thinks made this dump. Take the first one.
What’s the password?
LSADump. Since this is a Windows 7 file, the password may be stored in the machine’s LSA secrets (where passwords to PCs are stored locally sometimes).
volatility -f OtterCTF.vmem --profile=Win7SP1x64 lsadump
General Info
volatility -f OtterCTF.vmem --profile=Win7SP1x64 hivelist
volatility -f OtterCTF.vmem --profile=Win7SP1x64 printkey -o <Insert SYSTEM hive address here> -K 'ControlSet001\Control\ComputerName\ComputerName'
This will allow us to find the computer name. Remember that we use the -K command to specify where in that registry hive we wanted to go. First did ‘ControlSet001’ and followed the menu from there.
General Info 2
volatility -f OtterCTF.vmem --profile=Win7SP1x64 netscan
This will allow us to find any local IP addresses.
Play Time
volatility -f OtterCTF.vmem --profile=Win7SP1x64 netscan
Only process that looked like a game was LunarMS. Look for the ip that doesn’t have the local IP address format
Name Game
volatility -f OtterCTF.vmem --profile=Win7SP1x64 pslist
volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p <LunarMS process ID> -d <directory path you want to dump to>
strings <LunarMS PID>.dmp | grep -a Lunar\-3 -C 1
PSList lists all of the processes that were running when the memory dump was formed. Dumped the memory of the process called LunarMS.exe, grepped for Lunar-3. The \ character is to escape the ‘-‘ from being read as a command. -C 1 gives one line of context above and below each entry that meets our grep requirements.
Name Game 2
Used our favorite hex editor to search for the bytes that are listed in the problem, since the username of the logged on character always follows that signature. We knew we needed a hex editor because cat | grep wouldn’t find non-printable characters.
Silly Rick
Super easy. Rick copies and pastes his password. Things that are copied are written onto the clipboard.
volatility -f OtterCTF.vmem --profile=Win7SP1x64 clipboard
Hide and Seek
volatility -f OtterCTF.vmem --profile=Win7SP1x64 pslist
Looks like the “Rick and Morty” process ID is the parent process ID of the task below it called “VMWare-Tray.exe”. Should seem sketchy, because it is.
Path to Glory
Since we have indicators that this malware came from a torrent file, we need to locate the said torrent file on the memory image itself using the filescan plugin
volatility -f OtterCTF.vmem --profile=Win7SP1x64 filescan | grep "Rick And Morty"
volatility -f OtterCTF.vmem --profile=Win7SP1x64 -Q <memory address> -D <directory path you want to dump to>
This is an actually exe file. Don’t run it. Run strings and search for the flag.
What’s next? (extra credit)
This link will lead you to another volatility problem where you will practice your skills if you’d like to further them. Writeups for this exist, so you can practice finding writeups also. Good luck!
This requires an account, answer their questions any way you prefer, then travel back to that link after you have finished creating your account. you’re on your own from there!