We covered conducting memory forensics using Volatility framework. The scenario involved a memory dump file that assumingly contained encrypted documents which we extracted with the relevant plugins such as filescan and dumpfiles. The extracted file was encrypted using TrueCrypt and therefore the password used for encryption was extracted using truecryptpassphrase plugin with Volatility version 2. The encrypted file was mounted as a filesystem after decryption with VeraCrypt and contained a source code written in C#. The source code contained snippets that indicate the use of DES encryption algorithm to encrypt other files. This was part of HackTheBox TrueSecrets Forenscis Challenge.
Get Computer Forensics Field Notes
The Complete Penetration Testing with BackBox Course
Our cybercrime unit has been investigating a well-known APT group for several months. The group has been responsible for several high-profile attacks on corporate organizations. However, what is interesting about that case, is that they have developed a custom command & control server of their own. Fortunately, our unit was able to raid the home of the leader of the APT group and take a memory capture of his computer while it was still powered on. Analyze the capture to try to find the source code of the server.
Video Highlights
As stated in the video, we used the below Volatility 3 plugins to extract the artifacts:
windows.info
windows.filescan
windows.dumpfiles
And to extract the password used for the TrueCrypt volume, the below plugin can be used with Volatility 2
truecryptpassphrase
The encrypted volume can be moutned using VeraCrypt and by supplying the password, you will get access to the main filesystem that contained a C# code and files encrypted with DES. Using the IV and the key in the code, you can decrypt the files and get the flag.
The flag of this challenge can be found in the shared directory after the extraction and specifically written on a paper hold by the person shown in the picture.
Video Walkthrough