Posts

Showing posts from January, 2022

TryHackMe: Memory Forensics

Image
  https://tryhackme.com/room/memoryforensics      TASK 1 - Introduction   Join Room, Download Volatility (if you don't already have it)   Perform memory forensics to find the flags.    These were some helpful resources that were given at the beginning of the challenge: Volatility: https://github.com/volatilityfoundation/volatility/ Volatility wiki: https://github.com/volatilityfoundation/volatility/wiki Cheatsheet: https://book.hacktricks.xyz/forensics/volatility-examples When using Volatility, I find going directly to the command reference to be helpful: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference You can also type volatility -h for a list of options and plugin commands. TASK 2 - Login   The forensic investigator on-site has performed the initial forensic analysis of John's computer and handed you the memory dump he generated on the computer. As the secondary forensic investigator, it is up to you to find all the required information in the m

CyberDefenders: CaseVegas

Image
Note: All these answers can be found with google. Street view is your friend. This is a fun beginner challenge where we are given a ~37 minute dash cam video, and a few screen grabs.     Challenge Details: You are a detective, and you have been instructed to find a suspect who was employed in a major hotel chain and was responsible for the theft of US$ 3.5 million from his employers. When you were given the instruction, you were busy with another investigation and immediately abandoned that to start this new investigation. You were also meant to be home hours ago to take your loved one to a nice restaurant for a well-deserved dinner and relaxation time. During the investigation, your attempt to find the suspect was recorded in the included video. Analyze the video and other files and try to extract answers for some of the case questions.   -----   Before opening your file, verify it. If you're using Windows, right click on the zipped file, click CRC SHA, choose SHA 1. Make sure