Volatility and Bpvolatility Tryhackme Walkthrough

Learn how to perform memory forensics with Volatility!

This write-up covers the Volatility Room on TryHackMe.
Learning Path (s): Cyber Defense, SOC Level 1
Module: Incident Response and Forensics, Digital Forensics and Incident Response
Skill: Forensics Tool
Protocol/Tools: Volatility, Alienvault Open Threat Exchange (OTX)

Volatility

Volatility is a free memory forensics tool used in computer analysis. It helps analyze volatile memory, which disappears once the device is turned off. Volatile memory holds important artifacts and clues not shown in non-volatile memory. The tool requires dumping the system’s volatile memory into a file, which can be analyzed using Volatility’s various plugins.

Setting up

💡Connect to the Start the Tryhackme VM or deploy the machine locally via OpenVPN

Install Volatility

Task 2–9:

These tasks contain a really handy rundown of how to use the tool, so do check that out.. I skipped them because they do not contain any Questions.

Task 10: Practical Investigations

Note: To find the directory you need to make sure you’re writing cd /Scenarios/Investigations.

Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.

DFIR & IFR

Case 001

What is the build version of the host machine in Case 001?

• Command: vol -f 'Investigation-1.vmem' windows.info

At what time was the memory file acquired in Case 001?

• Check SystemTime for acquisition time.

What process can be considered suspicious in Case 001?

• All of the processes start from the System process, apart from reader_sl.exe, which has explorer.exe as its parent process. This is potentially suspicious.
• Use psscan or pstree, suspicious due to parent process: vol -f 'Investigation-1.vmem' windows.pstree.PsTree.

What is the parent process of the suspicious process in Case 001?

• Check the parent process of reader_sl.exe.

What is the PID of the suspicious process in Case 001?

• Find the PID of reader_sl.exe.

What is the parent process PID in Case 001?

• Identify PID of the parent process.

What user-agent was employed by the adversary in Case 001?

• To find information, change to the Dump directory and use: sudo strings *.dmp | grep "user-agent"
• Use sudo python3, the password ‘infected’, and volatility command to extract information: sudo python3 /opt/volatility3/vol.py -f 'Investigation-1.vmem' -o Dump windows.memmap.Memmap --pid 1640 --dump

Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N)

• Search for “chase” in dump file: sudo strings *.dmp | grep "chase"

Case 002

DFIR & IFR

What suspicious process is running at PID 740 in Case 002?

• Repeat the process used previously: vol -f 'Investigation-2.raw' windows.pstree.PsTree

What is the full path of the suspicious binary in PID 740 in Case 002?

• Use dlllist plugin with grep: vol -f 'Investigation-2.raw' windows.dlllist | grep 740

What is the parent process of PID 740 in Case 002?

• Check pstree output.

What is the suspicious parent process PID connected to the decryptor in Case 002?

• Identify parent process PID.

From our current information, what malware is present on the system in Case 002?

• Deduce malware based on available data.

What DLL is loaded by the decryptor used for socket creation in Case 002?

• Research and find the relevant .dll.

What mutex can be found that is a known indicator of the malware in question in Case 002?

• Use windows.handles plugin and grep.

What plugin could be used to identify all files loaded from the malware working directory in Case 002?

• Refer to volatility’s help menu.

BpVolatility

The following is part of the bpvolatility (A private room) which also uses Volatility

Examining a Memory Sample

Download the Zip File attached to the machine to obtain the memory sample volatility -f cridex.vnem imageinfo

Find the right Profile from the suggested ones volatility -f cridex.vnem --profile=WinXPSP2x86 plist

View intentionally hidden processes (such as malware):volatility -f cridex.vnem --profile=WinXPSP2x86 plist

Find the right Profile from the suggested ones

One False is likey to indicate Malware, such as csrss.ese here volatility -f cridex.vnem --profile=WinXPSP2x86 pxview

Find injected code and dump it in the /tmp directoryvolatility -f cridex.vnem --profile=WinXPSP2x86 malfind -D /tmp

In a new tab, open /tmp to view the dump files

View the dll’s running in memoryvolatility -f cridex.vnem --profile=WinXPSP2x86 dlllist

Pull out (infected) processes

List the Processes and copy the (infected’s) PIDvolatility -f cridex.vnem --profile=WinXPSP2x86 pslist

volatility -f cridex.vnem --profile=WinXPSP2x86 --pid=584 dlldump -D /tmp

Open /tmp tab to view the dump files