TryHackMe is a security upskilling platform with many different topics covered. This room was part of the ‘Incident Response and Digital Forensics’ track. Many of the rooms on the site are free to access including this one.
Task 1 – Intro
‘Volatility is a free memory forensics tool developed and maintained by Volatility labs. Regarded as the gold standard for memory forensics in incident response, Volatility is wildly expandable via a plugins system and is an invaluable tool for any Blue Teamer.’
Task 1 asks us to install the program. I grabbed the latest (2.6) Windows release from https://www.volatilityfoundation.org/releases
Task 2 – Obtaining Memory Samples
This section gives us a breakdown of the various ways a memory capture can be obtained from a machine including listing tools for a live capture (machine is turned on) such as: FTK Imager, Redline and win32dd/win64dd. These tools will typically output a .raw file. This is one of the most common image formats you will come across. Offline Windows machines can have their memory captured by obtaining a copy of the %SystemDrive%/hiberfil.sys file. Virtual machines are also becoming very popular and their memory content can be pulled by obtaining the .vmem file for a VMWare machine or the .bin file for a Hyper-V machine. We have 3 questions for this Task, answers are below.
Task 3 – Examining our patient
This section gives us a .vmem file to analyse. We know this to be a VMWare format memory capture from the previous section.
Question one establishes the need to find out what profile to use. Profiles determine how Volatility treats our memory image since every version of Windows is a little bit different. ‘Let’s see our options now with the command `volatility -f MEMORY_FILE.raw imageinfo`
Question 2 gets us to confirm the profiles listed from the first question by using the ‘pslist’ command.
WinXPSP2x86 seems to be the right answer here.
Question 3 asks for the process ID (PID) of the smss.exe process.
From the screenshot in Question 2 we can see the answer is 368
Question 4 asks us to run the ‘netscan’ command. This command shows active network connections at the time of image creation. Unfortunately, this does not work due to the age of the target operation system, but it would be a normal part of the process in analysing the image to identify any possible communications with malicious IP addresses.
Question 5 asks us to run the psxview command to identify any hidden processes.
We can see the last process csrss.exe meets the question criteria.
No answer required.
Question 7 asks us to the run the ‘malfind’ command. This is a really useful plugin that scans for known malware indicators.
Windows Defender kicked in as soon as I ran this command and started quarantining files, so I had to disable it temporarily in order to get the right answer to this question – 12
No answer required.
Question 9 asks us to ruin the dlldump command to pull a copy of the dll files called by the previously identified malicious process.
The answer here is 12
Task 4 – Post Actions
This section asks us to upload the extracted files from the previous section (malware executables and dlls) to Virustotal and Hybrid Analysis. Both sites provide analysis of uploaded files, file hashes and URLs to determine if they are malicious. VirusTotal’s aggregated data is the output of many different antivirus engines, website scanners, file and URL analysis tools, and crowd-sourced user contributions.
Task 5 – Extra Credit
The last section have a great list of resources for further reading including:
AlienVault Open Threat Exchange (OTX) – An open-source threat tracking system. Create pulses based on your malware analysis work and check out the work of others. Link
SANS FOR408 (Now SANS FOR500) – Windows Forensic Analysis – Link
“The Art of Memory Forensics” – Link
MemLabs – A collection of CTF-style memory forensic labs – Link
Overall this was a really well guided room and whilst on barely scratching the surface of what Volatility is capable of, sets a good foundation for beginner investigators to start analysing those memory dumps!