Day 19

Memory forensics CrypTOYminers Sing Volala-lala-latility

Learning Objectives

Understand what memory forensics is and how to use it in a digital forensics investigation
Understand what volatile data and memory dumps are
Learn about Volatility and how it can be used to analyse a memory dump
Learn about Volatility profiles

Memory forensics, also known as volatile memory analysis or random access memory (RAM) forensics, is a branch of digital forensics.

It involves the examination and analysis of a computer's volatile memory (RAM) to uncover digital evidence and artefacts related to computer security incidents, cybercrimes, and other forensic investigations.

This type of data is volatile because it will be deleted when the computer is turned off.

This room is again a very straightforward one with all commands and instructions already given. We just need to follow along and run them.

What is the exposed password that we find from the bash history output? Submit
[REDACTED]

ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_bash

Volatility Foundation Volatility Framework 2.6.1
Pid      Name Command Time                   Command
-------- ---- ----------------------------- -------
10205    bash 2023-10-02 18:19:58 UTC+0000   mysql -u root -p'REDACTED'

What is the PID of the miner process that we find?
[REDACTED]

ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_pslist

Volatility Foundation Volatility Framework 2.6.1
Offset             Name         Pid  PPid Uid Gid DTB  Start Time
------------------ ----------- ----- ---- ------- ---- ------ ------------------ ----
0xffff9ce9b1e4c680 REDACTED    REDACTED 1    1000    1000 0x0000000074fa2000 2023-10-02 18:22:37 UTC+0000
0xffff9ce9bc23af00 mysqlserver 10291 1    1000    1000 0x000000006f166000 2023-10-02 18:22:37 UTC+0000

What is the MD5 hash of the miner process?
[REDACTED]

ubuntu@volatility:~/Desktop/Evidence$ md5sum extracted/miner.PID.0x400000              
REDACTED  extracted/miner.PID.0x400000

What is the MD5 hash of the mysqlserver process?
[REDACTED]

ubuntu@volatility:~/Desktop/Evidence$ md5sum extracted/mysqlserver.10291.0x400000              
REDACTED  extracted/mysqlserver.10291.0x400000

Use the command strings extracted/miner.<PID from question 2>.0x400000 | grep http://. What is the suspicious URL? (Fully defang the URL using CyberChef)
[REDACTED]

strings extracted/miner.<PID from question 2>.0x400000 | grep http://

After reading the elfie file, what location is the mysqlserver process dropped in on the file system?
[REDACTED]

ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_find_file -i 0xffff9ce9b78280e8 -O extracted/elfie

ubuntu@volatility:~/Desktop/Evidence$ cat extracted/elfie

PreviousDay 18 NextDay 20

Last updated 2 years ago