Tryhackme:Forensics

4 min readMar 18, 2021

This is a memory dump of compromised system, do some forensics kung-fu to explore the inside.

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, and Seven. Whether your memory dump is in raw format, a Microsoft crash dump, hibernation file, or virtual machine snapshot, Volatility is able to work with it. We also now support Linux memory dumps in raw or LiME format and include 35+ plugins for analyzing 32- and 64-bit Linux kernels from 2.6.11–3.5.x and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake. We support 38 versions of Mac OSX memory dumps from 10.5 to 10.8.3 Mountain Lion, both 32- and 64-bit. Android phones with ARM processors are also supported. Support for Windows 8, 8.1, Server 2012, 2012 R2, and OSX 10.9 (Mavericks) is either already in svn or just around the corner

Volatility forensics:

1.Download the victim.zip

no answer needed

2.Whats is the OS of this Dump? (Just write OS name in small)

A:windows

3.Whats is the PID of SearchIndexer ?

A:2180

4.What is the last directory accessed by the user?

(Just write last folder name as it is?

A:deleted_files

Task2:

There are many suspicious open port, which is it ?(protocol:port)

A:UDP:5005

2.Vads tag and execute protection are strong indicators of malicious processes, can you find which are they?(Pid1;Pid2;Pid3…)

A:1860;1820;2464

IOC SAGA:

In lats task you have identified malicious processes, so lets dig into them and find some IOC’s. you just need to find them and fill the blanks (You may search them on VirusTotal for more details :)

IOC(Indicators of compromise) are pieces of forensic data found inside the system entries log and files. This data is then used to identify malicious activity. Since we have identified all the malicious process on the previous task, we can dump the memory of to process to identify the malicious activity.