📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Analysis and Answers

Was this helpful?

  1. Forensic Exercises
  2. Memory Forensics

Volatility2 Exercise 1

PreviousVolatility2 Basics (Linux)NextVolatility3 Exercise 1

Last updated 3 years ago

Was this helpful?

1. Introduction

At the company of concern, internal data was found in data leaks. The computer is currently running and you have been able to create a RAM image. The computer identified computer is an older computer of an industrial control system.

You have to analyse the ram image with volatility.

Ressources:

The basic use of Volatility2 works as follows:

volatility <plugin> [plugin-optionen] [plugin-parameter] -f </pfad/zum/image> --profile=<profil>

With the following command you will get the Volatility profile:

volatility_2.6 -f <IMAGEPFAD> imageinfo

Please answer the following questions:

  1. Which volatility profile should be used for the image?

  2. How many processes were active at the time of the backup?

  3. Are there any hidden processes?

  4. What network connections exist or existed? Is anything noticeable?

  5. Which processes started the connections?

  6. Examine the input in the command line. Which commands were executed? Do you notice anything suspicious?

  7. Which suspicious services are currently active?

2. Analysis and Answers

  1. Profile detection:

    volatility.exe -f doomed.vmem imageinfo

2. Detect active processes: (22 in total)

volatility.exe -f doomed.vmem --profile=WinXPSP2x86 pslist

Process tree view: (parten-child relationship) volatility.exe -f doomed.vmem --profile=WinXPSP2x86 pstree

3. Scan for hidden and terminated processes:

volatility.exe -f doomed.vmem --profile=WinXPSP2x86 psscan

volatility.exe -f doomed.vmem --profile=WinXPSP2x86 psxview

Nothing suspiscious detected so far!

4. Check network connections:

volatility.exe -f doomed.vmem --profile=WinXPSP2x86 connscan volatility.exe -f doomed.vmem --profile=WinXPSP2x86 connections volatility.exe -f doomed.vmem --profile=WinXPSP2x86 sockscan

5. The process id 1956 belongs to explorer.exe which initiates a remote connection to 172.16.98.1:6666

6. Get command line history

A service check was executed: sc query malware

volatility.exe -f doomed.vmem --profile=WinXPSP2x86 cmdscan volatility.exe -f doomed.vmem --profile=WinXPSP2x86 consoles

Check active services: volatility.exe -f doomed.vmem --profile=WinXPSP2x86 svcscan

There are a lot of active services on that machine. Searching for malware shows that this service is still running:

Binary path is \Driver\Malware

Volatility 3 CheatSheetonfvp
Volatilty Cheatsheet
Logo
0zapftis.zipDropbox
Memory Image
Logo