TryHackMe: Memory Forensics

 

https://tryhackme.com/room/memoryforensics
  
 
TASK 1 - Introduction
 
Join Room, Download Volatility (if you don't already have it)
 
Perform memory forensics to find the flags. 
 
These were some helpful resources that were given at the beginning of the challenge:
When using Volatility, I find going directly to the command reference to be helpful: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

You can also type volatility -h for a list of options and plugin commands.

TASK 2 - Login
 
The forensic investigator on-site has performed the initial forensic analysis of John's computer and handed you the memory dump he generated on the computer. As the secondary forensic investigator, it is up to you to find all the required information in the memory dump.
 
What is Johns Password?
 
First we need to figure out what profile (identify the operating system) we want to use for this memory dump. We can figure this out by using imageinfo. Imageinfo provides us with "a high level summary of the memory sample".

 
Now that we have our profile, we can grab a hashdump. The hashdump command extracts and decrypts cached domain credentials stored in the registry. Use the hashdump command and output the hashes into a file.
 

I put these hashes into a file that I titled hashes.txt, opened the file, retrieved the hashes, and used https://crackstation.net/ to crack the hash and obtain John's password.


TASK 3 - Analysis
 
On arrival a picture was taken of the suspect's machine, on it, you could see that John had a command prompt window open. The picture wasn't very clear, sadly, and you could not see what John was doing in the command prompt window.

To complete your forensic timeline, you should also have a look at what other information you can find, when was the last time John turned off his computer?

When was the machine last shutdown?

To find the last shutdown we can use the shutdowntime command.  This command is not listed on the website I posted earlier, but you can find this command by typing volatility -h

 

TASK 4 - TrueCrypt
 
A common task of forensic investigators is looking for hidden partitions and encrypted files, as suspicion arose when TrueCrypt was found on the suspect's machine and an encrypted partition was found. The interrogation did not yield any success in getting the passphrase from the suspect, however, it may be present in the memory dump obtained from the suspect's computer.

What is the TrueCrypt passphrase?

From the TrueCrypt Wikipedia: TrueCrypt is a discontinued source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, or encrypt a partition or the whole storage device.

The TrueCrypt passphrase can be found by using the truecryptpassphrase command.