Command and Control

Before I start in on this I just want to apologize for the lack of updates. I’ve been trying to get back working and that does take up most of my time.

This is going to be a series of articles focusing on the Command & Control forensic challenges from Root-Me.org. These mainly focus on memory forensics, and I feel they represent a more “realistic” exercise platform than what are available from hackthebox.eu.  As I’m also a  proponent of “work smarter, not harder”, I’ll also be using PassMark’s volatility GUI front end, Volatility Workbench.

The setup for this exercise is that there has been a breach identified on a specific computer. A memory dump has been requested from the affected machine, however you (the examiner) forgot to write down the workstation name (I guess this could happen).

With the memory dump, we’ll go in and acquire the workstation name.

To start, we’ll ensure that the hashes match between the file and the established hash

MD5 from the website:

Capture1

Now  we run the md5sum command against the dump:

Capture 2

And they match. Now we can move forwards with the investigation.

From here, we need to find out what OS  we’re working with. To do that, we run the following command: Volatility -f ch2,dmp imageinfo

Capture 3

It appears that the memory dump is from a system running Windows 7 with service pack 1 installed.  Now that we know the OS, we can use the profile option and extract the hive list.

Capture 4

We know that the registry key ‘ComputerName’ is kept in \registry\machine\system hive, so to extract it we use the printkey comand with the -o(offset) pointing to the virtual memory offset 0x8b21c008, and the -K(key) flag set to ‘Controllset001\Control\ComputerName\ComputerName’

Capture 5

And there we have it. From here it’s a simple matter of writing down the computer name, and moving forwards.

Now that we’ve got the old school stuff out of the way, lets see how PassMark’s new Volatility Workbench handles this.

After downloading the zip file from PassMark’s website(https://www.osforensics.com/tools/volatility-workbench.html), we uncompress it and run the executable.

Capture 6

From here, use the browse button to select the dump file. The next step is to select the correct profile for the image. This means that you would have had to run the imageinfo command previously, as it doesn’t automagically select it once you’ve loaded the dump file.  After that, press the get process list button, and let it go to work.

Capture 7

After that has completed, we can use the command drop down to get the hivelist

Capture 8

Now that we have the hivelist, we can simply select the printkey command from the drop down menu, input the registry key and offset, and press run.

Capture 10

And…. nothing. The program throws an error. So this is a good lesson to remember, “if it ain’t broke, don’t fix it”   And as always,

 

ppsr44ur

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s