Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
|Week 1||Week 2||Week 3||Week 4||Week 5||Week 6||Week 7||Week 8||Week 9|
New image for December! It can be found here. This is a memory image, and this week has multiple questions. Note: I may jump between Volatility 2.6 and 3 as I’m playing around.
Q1: *At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”
The IP format gives a bit of a hint. We know the third octet is two digits and the rest are three. The port is also (probably) 443 since it’s def not 80. Let’s use Volatility to check the established connections (at the time of imaging).
$ ./vol -f memdump-001.0.mem --profile=Win7SP1x64 netscan | grep -i established Volatility Foundation Volatility Framework 2.6 0x13d48f540 TCPv4 192.168.10.146:54279 220.127.116.11:443 ESTABLISHED -1 0x13ec87cd0 TCPv4 192.168.10.146:54282 18.104.22.168:443 ESTABLISHED -1 0x13ece73b0 TCPv4 192.168.10.146:54281 22.214.171.124:443 ESTABLISHED -1 0x13ecf8010 TCPv4 192.168.10.146:54280 126.96.36.199:443 ESTABLISHED -1
Lucky for us only one Google IP address is listed, and it is in the correct format. Trying
188.8.131.52:443 and BING! Success.
Q2: What was the Local IP address and port number? same format as part 1
In the prior command, the number on the right is the public IP the system is connecting to. The number on the left (starting with 192.168) is the private (local) IP address of the system. Trying
192.168.10.146:54282 and BING! Success.
Q3: What was the URL?
First, check for a browser process and get it’s ID. I bet it is Chrome.
$ ./vol -f memdump-001.0.mem --profile=Win7SP1x64 pslist | grep -i chrome Volatility Foundation Volatility Framework 2.6 0xfffffa8031e2c2c0 chrome.exe 3384 2672 30 1039 1 0 2020-04-20 23:17:07 UTC+0000 0xfffffa8032429060 chrome.exe 3392 3384 7 95 1 0 2020-04-20 23:17:07 UTC+0000 0xfffffa80324ca5c0 chrome.exe 3492 3384 2 56 1 0 2020-04-20 23:17:09 UTC+0000
The PID we are interested in is
3384. We want to dump the history file from the Chrome process.
$ ./vol -f memdump-001.0.mem --profile=Win7SP1x64 dumpfiles -D dump/ -r History$ -i -p 3384 Volatility Foundation Volatility Framework 2.6 DataSectionObject 0xfffffa80325ccb30 3384 \Device\HarddiskVolume1\Users\Warren\AppData\Local\Google\Chrome\User Data\Default\History SharedCacheMap 0xfffffa80325ccb30 3384 \Device\HarddiskVolume1\Users\Warren\AppData\Local\Google\Chrome\User Data\Default\History
This gives us
file.3384.0xfffffa80311c7eb0.dat. If we open that with an SQLite viewer, go to the
URLs table, sort by
last_visit_time, and you will see https://google.com. Trying, and BING! Success.
Q4: What user was responsible for this activity based on the profile?
We can see in the previous command that the user account appears to be “Warren”, but just to check let’s look at the hashdump.
$ ./vol -f memdump-001.0.mem --profile=Win7SP1x64 hashdump Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: **Warren**:1000:aad3b435b51404eeaad3b435b51404ee:2aa81fb8c8cdfd8f420f7f94615036b0:::
Confirmed. Trying “Warren” and BING! Success.
Q5: How long was this user looking at this browser with this version of Chrome?
This question was quite nasty. I kept thinking about prefetch timelines, but didn’t think of a way to find the exact time viewed. I tried building process execution timelines, but that wasn’t it. I turned to the Windows Registry. After a lot of hacking around I figured it must be UserAssist.
$ ./vol -f memdump-001.0.mem --profile=Win7SP1x64 userassist | grep -A 4 -i Chrome Volatility Foundation Volatility Framework 2.6 REG_BINARY Chrome : Count: 9 Focus Count: 106 Time Focused: 3:36:47.301000 Last updated: 2020-04-20 23:17:07 UTC+0000 -- REG_BINARY %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk : Count: 7 Focus Count: 0 Time Focused: 0:00:00.507000 Last updated: 2020-04-20 23:17:07 UTC+0000 -- REG_BINARY C:\Users\Public\Desktop\Google Chrome.lnk : Count: 2 Focus Count: 0 Time Focused: 0:00:00.502000 Last updated: 2020-02-18 07:43:29 UTC+0000
We are interested in the first entry. Specifically,
Time Focused: 3:36:47.301000. Trying and BING! Success (finally).
I’ve leared a lot every week of the Magnet CTF. However, memory analysis has really pushed me. I look at a question and think “dang I know where that is on disk, how am I going to carve it?” For some reason I keep wanting to default to “carve.” The curve-ball this week was Registry analysis from memory. It’s extremely useful, and I’m sure I will use it again.