Tryhackme:Memory Forensics

Perform memory forensics to find the flags

Introduction:

Enjoy!

Please note: The size of the attached vmem file to download for each Task is large: 1.07 GB.

Here are some resources I used, check them out for more information:

Volatility: https://github.com/volatilityfoundation/volatility/

Volatility wiki: https://github.com/volatilityfoundation/volatility/wiki

Cheatsheet: https://book.hacktricks.xyz/forensics/volatility-examples

Room icon credit: https://book.cyberyozh.com/counter-forensics-anti-computer-forensics

1.I have understood the task and can continue to the questions!

A:no answer need

login:

1.What is John’s password?

A:charmander999

Analysis:

On arrival a picture was taken of the suspect’s machine, on it, you could see that John had a command prompt window open. The picture wasn’t very clear, sadly, and you could not see what John was doing in the command prompt window.

To complete your forensic timeline, you should also have a look at what other information you can find, when was the last time John turned off his computer?

1.When was the machine last shutdown?

A:2020–12–27 22:50:12

2.What did John write?

A:you_found_me

TrueCrypt:

A common task of forensic investigators is looking for hidden partitions and encrypted files, as suspicion arose when TrueCrypt was found on the suspect’s machine and an encrypted partition was found. The interrogation did not yield any success in getting the passphrase from the suspect, however, it may be present in the memory dump obtained from the suspect’s computer.

1.What is the TrueCrypt passphrase?

A:forgetmenot

please everyone join my telegram channel :https://t.me/hackerwheel

please everyone join my youtube channel :https://www.youtube.com/channel/UCl10XUIb7Ka6fsq1Pl7m0Hg

Hackerwheel
Change the world
https://t.me/hackerwheel

CTF-PLAYER, security analyst, Pentesting, vapt, digital forensics