Forensics Walkthrough: TryHackMe

Task [1]: Volatility forensics

#1 Download the victim.zip

Ans. No answer needed

After downloading the file , launch the Volatility (memory forensics tool) and type the command volatility -h to get the help menu and find the plugins to answer the questions.

#2 What is the OS of this Dump? (Just write OS name in small)

Get the information of the image by using the plugin imageinfo. Look at the suggested profiles, it seems that the victim was using windows OS.

Ans. windows

#3 Whats is the PID of SearchIndexer ?

Use pslist plugin to list out all the processes that were running at the time of image creation.

Ans. 2180

#4 What is the last directory accessed by the user? (Just write last folder name as it is?)

Shellbags plugin command can be used to gather all the information about a viewed directory such as size, position, and icon. Using this command, we are able to track down the folder accessed by the user. Check the access date and time and get the name of last directory accessed.

Ans. deleted_files

Task [2]: Task2

#1 There are many suspicious open port, which is it ?(protocol:port)

connections or connscan plugins are available for scanning open port but these are restricted to Windows XP and 2003. So, we can use netscan plugin.

Ans. UDP:5005

#2 Vads tag and execute protection are strong indicators of malicious processes, can you find which are they? (Pid1;Pid2;Pid3…)

malfind is the plugin that can be used to find out the hidden and injected code(malicious processes). When we run the command we found out three processes that are malicious.

Ans. 1860;1820;2464

Task [3] IOC SAGA

IOC(Indicators of compromise) are pieces of forensic data found inside the system entries log and files. This data is then used to identify malicious activity. Since we have identified all the malicious process on the previous task, we can dump the memory of to process to identify the malicious activity.

By using the grep command and hint we can easily find the answer.

Command used is: strings 1820.dmp | grep ‘’

strings command will get all the strings present in dump file and grep will match the strings with provided hint and give us all the matching answers.

#1 ‘www.go****.ru' (write full url without any quotation marks)

Ans. www.goporn.ru

#2 ‘www.i****.com' (write full url without any quotation marks)

Ans. www.ikaka.com

#3 ‘www.ic******.com'

Ans. www.icsalabs.com

#4 202.***.233.*** (Write full IP)

Ans. 202.107.233.211

#5 ***.200.**.164 (Write full IP)

Ans. 209.200.12.164

#6 209.190.***.***

Ans. 209.190.122.186

#7 What is an unique environmental variable of PID 2464

envars plugins is used to display the environment variables.

Ans. OANOCACHE

Thank you!!!

Digital forensics enthusiast | Cyber security | Bug hunter | Java | Python | Analyzer