Before I start in on this I just want to apologize for the lack of updates. I’ve been trying to get back working and that does take up most of my time.
This is going to be a series of articles focusing on the Command & Control forensic challenges from Root-Me.org. These mainly focus on memory forensics, and I feel they represent a more “realistic” exercise platform than what are available from hackthebox.eu. As I’m also a proponent of “work smarter, not harder”, I’ll also be using PassMark’s volatility GUI front end, Volatility Workbench.
The setup for this exercise is that there has been a breach identified on a specific computer. A memory dump has been requested from the affected machine, however you (the examiner) forgot to write down the workstation name (I guess this could happen).
With the memory dump, we’ll go in and acquire the workstation name.
To start, we’ll ensure that the hashes match between the file and the established hash
MD5 from the website:
Now we run the md5sum command against the dump:
And they match. Now we can move forwards with the investigation.
From here, we need to find out what OS we’re working with. To do that, we run the following command: Volatility -f ch2,dmp imageinfo
It appears that the memory dump is from a system running Windows 7 with service pack 1 installed. Now that we know the OS, we can use the profile option and extract the hive list.
We know that the registry key ‘ComputerName’ is kept in \registry\machine\system hive, so to extract it we use the printkey comand with the -o(offset) pointing to the virtual memory offset 0x8b21c008, and the -K(key) flag set to ‘Controllset001\Control\ComputerName\ComputerName’
And there we have it. From here it’s a simple matter of writing down the computer name, and moving forwards.
Now that we’ve got the old school stuff out of the way, lets see how PassMark’s new Volatility Workbench handles this.
After downloading the zip file from PassMark’s website(https://www.osforensics.com/tools/volatility-workbench.html), we uncompress it and run the executable.
From here, use the browse button to select the dump file. The next step is to select the correct profile for the image. This means that you would have had to run the imageinfo command previously, as it doesn’t automagically select it once you’ve loaded the dump file. After that, press the get process list button, and let it go to work.
After that has completed, we can use the command drop down to get the hivelist
Now that we have the hivelist, we can simply select the printkey command from the drop down menu, input the registry key and offset, and press run.
And…. nothing. The program throws an error. So this is a good lesson to remember, “if it ain’t broke, don’t fix it” And as always,