Is the architecture of the machine x64 (64bit) Y/N?
- Run the vol -f memdump.mem windows.info command and in the output, you can see this
What is the Verison of the Windows OS
- In the same output you can see this
What is the base address of the kernel?
Our user "Hattori" has reported strange behavior on his computer and realized that some PDF files have been encrypted, including a critical document to the company named important_document.pdf. He decided to report it; since it was suspected that some credentials might have been stolen, the DFIR team has been involved and has captured some evidence. Join the team to investigate and learn how to get information from a memory dump in a practical scenario.
vol -f memdump.mem windows.info
#-f -> Getting information to the target
#memdump.mem -> File to analyze
#windows.info -> Get the general information
vol -f memdump.mem windows.netstat
#windows.netstat is a plugin to see unusual network behavior
vol -f memdump.mem windows.pstree
#windows.pstree is a plugin that shows the tree of a process running on the OS
vol -f memdump.mem windows.filescan
#windows.filescan allows us to examine the file accessed that are stored in the memory dump
vol -f memdump.mem windows.mftscan.MFTscan
#windows.mftscan.MFTscan shows information like when the file is accessed or modified
vol -f memdump.mem -o . windows.memmap --dump --pid 1612
#-o -> specify the output directory
# . -> denotes the directory. It says "look here" (to the folder where you're running the commands
#windows.memmap -> Shows information on the process
# --dump -> dump
# pid -> pid number
#This will create dmp files
strings pid.1612.dmp |less
#strings -> will show the strings in the file
#less to makes it less letting you scroll to it page by page
Task 4: Gathering Target Information
Is the architecture of the machine x64 (64bit) Y/N?
What is the Verison of the Windows OS
What is the base address of the kernel?
TASK 5: Searching for Suspicious Activity
Using the plugin "windows.netscan". Can you identify the destination IP address where a connection is established on port 80?
Using the plugin "windows.netscan," can you identify the program (owner) used to access through port 80?
Analyzing the processes present on the dump, what is the PID of the child process of critical_updat?
What is the time stamp time for the process with the truncated name critical_updat?
TASK 6: Finding interesting data
Analyzing the "windows.filescan" output, what is the full path and name for critical_updat?
