Volatility and case demonstration of memory forensics

Introduction

Volatility is an open source memory forensics framework, which can analyze the exported memory image, obtain the kernel data structure, and use the plug-in to obtain the details of the memory and the operating status of the system.

• Forensics file suffix .raw, .vmem, .img
• Common commands (imageinfo, pslist, dumpfiles, memdump)
• Suspicious process (notepad, cmd)
• Combined with disk forensics
• Understand the principles of some operating systems
• Common file suffixes dmg, img

If you don’t know how to install it, you can check this article
Memory Forensics-Volatility Installation and Use and some CTF competition topics

volatility basic commands

Enter vol.py --helpto view help. You can use the -h parameter to get the usage method and plug-in introduction, and list several commonly used commands

imageinfo：显示目标镜像的摘要信息，这常常是第一步，获取内存的操作系统类型及版本，之后可以在 –profile 中带上对应的操作系统，后续操作都要带上这一参数

pslist：该插件列举出系统进程，但它不能检测到隐藏或者解链的进程，psscan可以

pstree：以树的形式查看进程列表，和pslist一样，也无法检测隐藏或解链的进程

psscan：可以找到先前已终止(不活动)的进程以及被rootkit隐藏或解链的进程

cmdscan：可用于查看终端记录

notepad：查看当前展示的 notepad 文本（–profile=winxp啥的低版本可以，win7的不行，可以尝试使用editbox）

filescan：扫描所有的文件列表

linux配合 grep 命令进行相关字符定向扫描，如：grep flag、grep -E ‘png|jpg|gif|zip|rar|7z|pdf|txt|doc’

dumpfiles：导出某一文件(指定虚拟地址)

需要指定偏移量 -Q 和输出目录 -D

memdump：提取出指定进程，常用foremost 来分离里面的文件

需要指定进程-p [pid] 和输出目录 -D

editbox：显示有关编辑控件（曾经编辑过的内容）的信息

screenshot：保存基于GDI窗口的伪截屏

clipboard：查看剪贴板信息

iehistory：检索IE浏览器历史记录

systeminfo：显示关于计算机及其操作系统的详细配置信息（插件）

hashdump：查看当前操作系统中的 password hash，例如 Windows 的 SAM 文件内容(mimikatz插件可以获取系统明文密码)

mftparser：恢复被删除的文件

svcscan：扫描 Windows 的服务

connscan：查看网络连接

envars：查看环境变量

dlllist: 列出某一进程加载的所有dll文件

hivelist: 列出所有的注册表项及其虚拟地址和物理地址

timeliner: 将所有操作系统事件以时间线的方式展开

Case explanation

[Net Cup]Easy_dump

1. Check the basic information first.

vol.py -f easy_dump.img imageinfo

2. Check the process information again and find that there is a **notepad.exe (Notepad)** process. The description must have been written and extracted.

vol.py -f easy_dump.img --profile=Win7SP1x64 pslist

Use memdump to extract to the current directory

vol.py -f easy_dump.img --profile=Win7SP1x64 memdump -p 2616 -D ./

However, the extracted strings cannot be viewed directly, and you need to pass the command

strings -e l 2626.dmp | grep flag

4. It is prompted that there is a jpg picture, search for it.

vol.py -f easy_dump.img --profile=Win7SP1x64 filescan |grep -E 'jpg|gif|png'

5. Save the picture and
extract the file picture

vol.py -f easy_dump.img --profile=Win7SP1x64 dumpfiles -Q 0x000000002408c460 -D ./

6. After the picture is extracted, use binwalk to test whether the picture contains zip files and other content.

7. Find the zip file. Use foremost for separation.


Get a compressed package, and get an img file after decompression

. 8.binwalk continues to analyze and separates the hint.txt file.

binwalk -e message.img 

9. After checking, there are a lot of numbers appearing in pairs, which are similar to coordinates.
Try to convert the numbers into coordinates, use gnuplot to draw a picture, and find the QR code


10. Scan to get a prompt Here is the vigenere key: aeolus, but i deleted the encrypted message。

11. The above English translation results are as follows, this is a Virginia cipher, the secret key is aeolus, with the encryption method, with the secret key, ciphertext is required. Continue to look at the two folders just now to find the ciphertext. Find
a .swp file. If you are familiar with it, you know it is an interrupted file and restore it directly.

vim -r .message.swp 

The ciphertext appears

13. yise!dmsx_tthv_arr_didviIt should be the ciphertext. Use the key aeolus obtained before to decrypt it.

[An Xun Cup] Administrator's_secret

1. Check the basic information first.

vol.py -f mem.dump imageinfo

2. Look at the process on pslist, and there is one here CnCrypt.exe, CnCryptwhich is a disk encryption software.

vol.py -f mem.dump --profile=Win7SP1x64 pslist

3. If you see cmd.exe in the above process, then look at the cmd command and find that there is a flag.ccx file, and it prompts that the password of flag.ccx is the password of Administrator.

vol.py -f mem.dump --profile=Win7SP1x64 cmdscan

4. The password of the file is the same as that of the administrator. Next, we look for the flag.ccx file

vol.py -f mem.dump --profile Win7SP1x64 filescan | grep flag.ccx

Next, we dump the file, and we can see that its password is the same as that of administrator

vol.py -f mem.dump --profile Win7SP1x64 dumpfiles -Q 0x3e435890 --dump-dir=./

5. Next look for the password of the administrator

List users of SAM table

vol.py -f mem.dump --profile Win7SP1x64 printkey -K "SAM\Domains\Account\Users\Names"

Get the virtual address of SYSTEM SAM respectively 0xfffff8a000024010 0xfffff8a001590010, which can be understood as the address in memory

vol.py -f mem.dump --profile Win7SP1x64 hivelist

6.hashdump gets the hash value of the user password

vol.py -f mem.dump --profile Win7SP1x64 hashdump 

CMD5 query hash value to get the password of the Administrator account

So far, the encrypted file extraction and user password extraction have been completed.

When checking the process before, I found cncrypt

Guess the file is encrypted using cncrypt

CnCrypt loaded to get the flag


7. Decrypt and mount to get the flag.