Prompt

We have obtained a live system memory dump from a hacker's computer before it fried itself. The hacker was looking at a suspicious document. Can you retrieve the lost information?

Walk-Through

This challenge requires you to analyze a memory dump to determine what programs and software were running at the time that the memory dump was taken.

Before we start, you’ll want to decompress the file as it is currently compressed using .xz compression, run the command xz -d memdump.mem.xz and you’ll get a memdump.mem file now.

To conduct the memory analysis, you’ll need to download the tool Volatility available at https://github.com/volatilityfoundation/volatility3 to dissect the information in the memory dump.

Firstly, we need to identify the operating system that this memory dump was taken from so that we can use Volatility efficiently. Unlike Volatility2, Volatility3 no longer needs profiles to determine what operating system settings to use. However, it can still be very helpful to know what system’s memory you are going to be looking at.

Using strings memdump.mem or file memdump.mem can help answer those questions.

file memdump.mem
memdump.mem: Windows Event Trace Log

To verify your work, you can use Volatility itself to print out memory dump’s OS information using

./vol.py -f ./memdump.mem windows.info.Info

Using these pieces of information, we can deduce we are looking at a Windows memory dump.

Once we have identified the OS, we navigate into the Volatility directory and move our memory dump into that directory:

./vol.py -f ./memdump.mem windows.envars.Envars

The windows.envars.Envars option tells Volatility to extract the Windows environmental variables from the memory dump which contains a COMPUTERNAME variable, helping you answer the computer name question. The username will also be present in the environmental variables as you’ll find fields referencing C:\Users\ for example, helping you answer the username question.

Next, we’ll want to conduct a file scan to identify file paths, we run a similar command:

./vol.py -f ./memdump.mem windows.filescan.FileScan

The windows.filescan.FileScan option tells Volatility to scan for all file objects present in the memory dump and list them out for you. You can peruse through the files and identify potentially interesting files and then extract the contents of the file by running this command:

./vol.py -f ./memdump.mem -o ./dump windows.dumpfiles.DumpFiles --virtaddr [file address]

The windows.dumpfiles.DumpFiles option tells Volatility to extract the file content and the -o option specifies the directory to output the file extraction and finally the --virtaddr option will reference the file address of the file of interest that you scanned in the previous step.

The file of interest in this case is actually a SQLite database file. You can open the database file using tools such as SQLite Browser and peruse the database tables to identify the real name of the “cloud” user.

Lastly, to identify the password, we’ll use Volatility once again and run the following command:

./vol.py -f ./memdump.mem windows.hashdump.Hashdump

The windows.hashdump.Hashdump option tells Volatility to extract all the NTLM hashes for the users present in the memory dump. Using the username you identified in the earlier question, you can use any NTLM password cracking tool to retrieve the plaintext of the password. Of note, the password is a simple one and does not require extensive hardware to successfully crack.

The Book

Prompt

Walk-Through

Questions

What operating system was this dump taken from?

What is the name of the computer?

What is the name of the user that was logged in?

What is the full filepath and file of the file in interest?

What is the real name of "cloud"?

What is the password of the currently logged in user?