Foreword:
Volatility is a very powerful memory forensics tool. It is a set of tools jointly developed by hundreds of well-known security experts from all over the world. It can be used for system memory forensics such as windows, linux, mac osx and android. It plays a pivotal role in the fields of emergency response, system analysis and forensics
. In this issue of technology sharing, Xiaoxing will take you to understand the use and skills of volatility from three actual combat environments.
##0 1 task.zip
python vol.py -f WIN-BU6IJ7FI9RU-20190927-152050.raw
–profile=Win7SP1x86_23418 hashdump
#somd5 Website blasting
## 0 2 task. 7z
1. Use imageinfo of volatility to view the image information of memory.
2. Scan the desktop files and find a txt file with the word Bitlocker.
3.
Use dumpfiles to export the file to view the contents.
4.
The result shows that the file is the key for BitLocker decryption. Use diskgenius to open the virtual disk file secret, unlock Bitlocker to the encrypted partition; enter the recovery key, unlock the partition successfully, see README.txt, right-click and copy to the desktop.
5.
The content of README.txt is the flag.
Wow, you have a great ability. How did you solve this? Are you a hacker?
Please give me a lesson later.
##0 3 ez_forensics
1. Download the attachment to get a pc.vmdk disk file and a pc.raw memory file, and use FTK to mount the vmdk file.
2. After mounting, a bitlocker encryption prompt was found.
3. Check the raw memory file and perform the pstree operation, and find that cmd.exe exists.
4.
Run a regular filescan: First, filescan the desktop, but there is no suspicious information on the desktop, so we know that the focus of this question is not on the desktop.
[External link image transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the image and upload it directly (img-NBpNbU1N-1689996026957) (https://image.3001.net/images/20230223/1677135525_63f70ea5db3a836dda51f.png!small)] 5. According to the cmd in the process. exe to view the input content of the cmdscan command line
.
6.
The following results appear.
7.
According to the prompt, there seems to be a special screenshot here, try to view the screenshot in memory.
8.
It is found here that a file has been opened on the desktop. From the file name, it is known that this is a key file: thes3cret.
9.
Try filescan this file.
10.
Perform dumpfiles operation.
11.
After extraction, it is found that this is a text file, and the content of the file is shown below.
In summary, we can know that this is an AES encryption. Xiaoxing once tried to decrypt directly, but the decryption failed. It can be inferred that the AES decryption here also requires a password.
1.
Return to the disk file that has been encrypted by bitlocker before. There is disk and memory, and EFDD can be used to decrypt the disk. 
2.
For volume, select the mounted physical disk. For memory dump, select the memory file and decrypt it until it succeeds.
3.
After successful decryption, it is found that cipher.zip and flag.txt exist, but the data in flag.txt is useless.
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-QxVeuK9C-1689996026960)(https://image.3001.net/images/20230223/1677135231_63f70d7fd05ea7185491e.png!small)] 4. cipher.zip There is a cipher.png image in memory
.
5.
Try stegsolve analysis on the png image, and find that there is LSB steganography, and a compressed package is hidden.
6.
After extraction, it is found that the compressed package needs a password to decompress.
[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-AqP46SCH-1689996026960) (https://image.3001.net/images/20230223/1677135264_63f70da05f816c72ce56f.png!small)] 7. There is a reminder in the comment memory
.
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-Te3y61ae-1689996026961)(https://image.3001.net/images/20230223/1677135278_63f70dae32b9dd712ab99.png!small)] 8. The prompt password is the login password of the computer user
. At this point, return to the memory file and try to use mimikatz to extract the login password.
From this we get:
[External chain pictures failed, and the source station may be a anti-theft chain mechanism. It is recommended to save the picture and upload it directly (IMG-Z4M60UVI-1689996026961) (https://image.3001.net/images/20230223/16771317_63F70DF0C5AAA 6C7753.png! Small)] 9. Try to decrypt the compressed package
. The decryption is successful, and there is a key.txt file in the compressed package, the content of which is displayed as follows:
10.
Each number is 0-7 according to the data format. From this, it is known that this is an octal encryption, and the octal decryption operation is sufficient.
From this we get:
11. At this point, the AES ciphertext and key have been obtained, and finally the AES decryption operation is performed to obtain the flag.
Finally, the aes decryption operation is performed to obtain the flag.
[External link image transfer...(img-dNymApJW-1689996026962)][External link image transfer...(img-dQVP5QhU-1689996026962)]
at last
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Of course, in addition to supporting videos, various documents, books, materials & tools have been sorted out for you, and they have been classified into categories for you.
Due to the limited space, only part of the information is displayed. Friends in need can [click the card below] to get it for free: