Introduction
The post provides a detailed overview of memory forensics, a key aspect of cybersecurity. It focuses on how volatile memory, particularly in Windows operating systems, can be analyzed during cyber incidents. We also solved the room TryHackMe Critical as part of SOC level 1 track.
Computer Forensics Study Notes
Memory Forensics In Cyber Security
Memory Forensics: A subset of computer forensics that deals with analyzing the content of a system’s RAM (Random Access Memory) to understand what was happening on a machine at the time of compromise.
Importance of Memory Analysis: This analysis captures an immediate snapshot of active processes and applications, which is often critical in understanding attacks since data in RAM is lost upon reboot or shutdown.
Memory Acquisition Process: The process of copying live memory to a file, called a memory dump, is essential for preserving data for analysis. The video also discusses various tools like FTK Imager, lime, and OSF used to acquire memory depending on the OS (Windows, Linux, Mac).
Analyzing Memory Dumps: Using tools like Volatility (a memory forensics tool), users can extract key system information like the kernel base address, OS version, and active processes.
Key Plugins in Volatility: Several plugins help investigate network activities, processes, and file access. Plugins like windows.netstat and windows.pstree are highlighted for analyzing network connections and processes in a hierarchical manner.
Network Forensics: The video emphasizes the importance of analyzing active network connections, especially those that indicate ongoing remote sessions (like RDP), which attackers might use to control a machine.
Investigating Malicious Processes: Using Volatility’s plugins, viewers are shown how to identify malicious processes, trace their parent-child relationships, and look deeper into files and directories they accessed.
HTTP Requests and Attack Detection: The presenter showcases an investigation into HTTP requests captured in memory, revealing potential encryption key exchanges between an attacker’s server and the compromised machine.
Timestamp and File Access Analysis: The video demonstrates how to retrieve and analyze file timestamps to track when specific malicious files, such as a PDF document, were created and accessed.
Room Answers | TryHackMe Critical
What type of memory is analyzed during a forensic memory task?
RAM
In which phase will you create a memory dump of the target system?
Memory Acquisition
Which plugin can help us to get information about the OS running on the target machine?
Windows.info
Which tool referenced above can help us take a memory dump on a Linux OS?
LIME
Which command will display the help menu using Volatility on the target machine?
vol -h
Is the architecture of the machine x64 (64bit) Y/N?
Y
What is the Verison of the Windows OS
10
What is the base address of the kernel?
0xf8066161b000
Using the plugin “windows.netscan” can you identify the IP address that establish a connection on port 80?
192.168.182.128
Using the plugin “windows.netscan,” can you identify the program (owner) used to access through port 80?
msedge.exe
Analyzing the process present on the dump, what is the PID of the child process of critical_updat?
1612
What is the time stamp time for the process with the truncated name critical_updat?
2024-02-24 22:51:50.000000
Analyzing the “windows.filescan” output, what is the full path and name for critical_updat?
C:\Users\user01\Documents\critical_update.exe
Analyzing the “windows.mftscan.MFTScan” what is the Timestamp for the created date of important_document.pdf?
2024-02-24 20:39:42.000000
Analyzing the updater.exe memory output, can you observe the HTTP request and determine the server used by the attacker?
SimpleHTTP/0.6 Python/3.10.4
