Volatility and Bpvolatility Tryhackme Walkthrough
This write-up covers the Volatility Room on TryHackMe.
Learning Path (s): Cyber Defense, SOC Level 1
Module: Incident Response and Forensics, Digital Forensics and Incident Response
Skill: Forensics Tool
Protocol/Tools: Volatility, Alienvault Open Threat Exchange (OTX)
Volatility
Volatility is a free memory forensics tool used in computer analysis. It helps analyze volatile memory, which disappears once the device is turned off. Volatile memory holds important artifacts and clues not shown in non-volatile memory. The tool requires dumping the system’s volatile memory into a file, which can be analyzed using Volatility’s various plugins.
Setting up
💡Connect to the Start the Tryhackme VM or deploy the machine locally via OpenVPN
Install Volatility
Task 2–9:
These tasks contain a really handy rundown of how to use the tool, so do check that out.. I skipped them because they do not contain any Questions.
Task 10: Practical Investigations
Note: To find the directory you need to make sure you’re writing cd /Scenarios/Investigations
.
Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.
Case 001
What is the build version of the host machine in Case 001?
- Command:
vol -f 'Investigation-1.vmem' windows.info
At what time was the memory file acquired in Case 001?
- Check SystemTime for acquisition time.
What process can be considered suspicious in Case 001?
- All of the processes start from the System process, apart from reader_sl.exe, which has explorer.exe as its parent process. This is potentially suspicious.
- Use psscan or pstree, suspicious due to parent process:
vol -f 'Investigation-1.vmem' windows.pstree.PsTree
.
What is the parent process of the suspicious process in Case 001?
- Check the parent process of
reader_sl.exe
.
What is the PID of the suspicious process in Case 001?
- Find the PID of
reader_sl.exe
.
What is the parent process PID in Case 001?
- Identify PID of the parent process.
What user-agent was employed by the adversary in Case 001?
- To find information, change to the Dump directory and use:
sudo strings *.dmp | grep "user-agent"
- Use sudo python3, the password ‘infected’, and volatility command to extract information:
sudo python3 /opt/volatility3/vol.py -f 'Investigation-1.vmem' -o Dump windows.memmap.Memmap --pid 1640 --dump
Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N)
- Search for “chase” in dump file:
sudo strings *.dmp | grep "chase"
Case 002
What suspicious process is running at PID 740 in Case 002?
- Repeat the process used previously:
vol -f 'Investigation-2.raw' windows.pstree.PsTree
What is the full path of the suspicious binary in PID 740 in Case 002?
- Use dlllist plugin with grep:
vol -f 'Investigation-2.raw' windows.dlllist | grep 740
What is the parent process of PID 740 in Case 002?
- Check pstree output.
What is the suspicious parent process PID connected to the decryptor in Case 002?
- Identify parent process PID.
From our current information, what malware is present on the system in Case 002?
- Deduce malware based on available data.
What DLL is loaded by the decryptor used for socket creation in Case 002?
- Research and find the relevant .dll.
What mutex can be found that is a known indicator of the malware in question in Case 002?
- Use windows.handles plugin and grep.
What plugin could be used to identify all files loaded from the malware working directory in Case 002?
- Refer to volatility’s help menu.
BpVolatility
The following is part of the bpvolatility (A private room) which also uses Volatility
Examining a Memory Sample
Download the Zip File attached to the machine to obtain the memory sample volatility -f cridex.vnem imageinfo
Find the right Profile from the suggested ones volatility -f cridex.vnem --profile=WinXPSP2x86 plist
View intentionally hidden processes (such as malware):volatility -f cridex.vnem --profile=WinXPSP2x86 plist
Find the right Profile from the suggested ones
One False is likey to indicate Malware, such as csrss.ese here volatility -f cridex.vnem --profile=WinXPSP2x86 pxview
Find injected code and dump it in the /tmp directoryvolatility -f cridex.vnem --profile=WinXPSP2x86 malfind -D /tmp
In a new tab, open /tmp to view the dump files
View the dll’s running in memoryvolatility -f cridex.vnem --profile=WinXPSP2x86 dlllist
Pull out (infected) processes
List the Processes and copy the (infected’s) PIDvolatility -f cridex.vnem --profile=WinXPSP2x86 pslist
volatility -f cridex.vnem --profile=WinXPSP2x86 --pid=584 dlldump -D /tmp
Open /tmp tab to view the dump files