Write-Up: Memory Forensics in the DEF CON DFIR CTF.
One of my goals for the second half of 2019 was to improve on my memory forensics skills, and at almost too-good timing, the DEF CON DFIR CTF was released. Here’s my write-up, with some added commentary for people who are learning this fine skill like I am. I’ve put the questions in italics, and flags in bold.
The CTF is still open. If you want to give it a shot, you can download the images and access the challenges via this link: https://www.hecfblog.com/2019/08/2019-unofficial-defcon-dfir-ctf.html
1. Get your volatility on. What is the SHA1 hash of triage.mem?
2. Pr0file. What profile is the most appropriate for this machine?
The first thing you’ll want to determine when analysing a memory image is it’s profile. We’ll need this for any on-going commands. There is a plugin called ‘imageinfo’ that will give you that data:
volatility imageinfo -f triageMemory.mem
There are a number of suggested profiles, so I was hoping that the first would be correct, which it was.
3. Hey, write this down. What was the process ID of notepad.exe?
pslist is a plugin that outputs all of the processes that were running at the time the dump was created, along with its execution time and process/parent ID’s.
volatility -f triageMemory.mem — profile=Win7SP1x64 pslist | grep notepad.exe
4. wscript can haz children. Name the child processes of wscript.exe?
Using the same output as above, we can quickly identify only one instance of wscript.exe that was running at the time of the dump, and it’s child process.
5. tcpip settings. What was the IP address of the machine at the time the RAM dump was created?
At first I tried running ‘connections’, ‘sockets’, and ‘sockscan’, but these plugins only work for Windows XP and Windows 2003 Server. Netscan however works for Windows Vista/2008/7. Upon looking at the netscan output, and disregarding 127.0.0.1, the most frequent IP address is 10.0.0.101.
volatility -f triageMemory.mem — profile=Win7SP1x64 netscan
6. Intel. Based on the answer regarding the infected PID, can you determine what the IP address of the attacker was?
We see that there is a connection made from process UWkpjFjDzM.exe:
TCPv4 10.0.0.101:49217 10.0.0.106:4444 ESTABLISHED 3496 UWkpjFjDzM.exe
7. i ❤ windows dependencies. What process is VCRUNTIME140.dll associated with?
There is a plugin with the sole purpose of listing DLL’s that have been loaded by each process that was executed.
volatility -f triageMemory.mem — profile=Win7SP1x64 dlllist > dllList.txt
There are five associated processes, and four of these are within the same path — Microsoft Office\Root\Office16. If we look at the process names, they all relate to Office products such as Excel, Powerpoint, and Outlook. The odd one out OfficeClickToR.
8. Mal-ware-are-you. What is the MD5 hash of the potential malware found on the system?
We’ve identified that UWkpjFjDzM.exe looks pretty dodgy. Volatility has a plugin called procdump that allows you to dump the process’ executable for further analysis. You can specify the directory of the output using flag -D, and -p to specify the process that you want to dump.
volatility -f triageMemory.mem — profile=Win7SP1x64 procdump -D dump/ -p 3496
0xfffffa8005a1d9e0 0x0000000000400000 UWkpjFjDzM.exe OK: executable.3496.exe
9. Im-get bobs hash. What is the LM hash of bobs account?
This one is pretty straight forward. We can use the following command to extract password hashes that were stored in the registry.
volatility -f triageMemory.mem — profile=Win7SP1x64 hashdump > hashDump.txt
The first part is the LM hash, the second, unhighlighted part is the NT hash.
10. vad the impaler. What protections does the VAD node at 0xfffffa800577ba10 have?
To be honest here, I had no idea what a VAD was before I started this CTF. I used this blog post as a resource while figuring out the next two flags.
volatility -f triageMemory.mem — profile=Win7SP1x64 vadinfo > vadinfo.txt
11. more vads?! What protections did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
Using the same output file from the previous question, I was able to simply grep for the offsets.
12. vacation bible school. There was a VBS script run on the machine. What is the name of the script?
Amongst all it’s other capabilities, volatility can also dump a list of command line arguments that were executed by a process. We can see that there was only one .vbs script run below which is tied to one of the processes identified in an earlier question:
13. thx microsoft. An application was run at 2019–03–07 23:06:58 UTC, what is the name of the program?
In digital forensics, there is a common artifact used that displays applications or programs that have been executed on a system, along with the timestamps of their execution. It’s called shimcache (also known as AppCompatCache), and of course, volatility has a plugin for it.
volatility -f triageMemory.mem — profile=Win7SP1x64 shimcache> shimcache.txt
grep 2019–03–07 shimcache.txt
2019–03–07 23:06:58 UTC+0000 \??\C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
14. lightbulb moment. What was written in notepad.exe in the time of the memory dump?
So volatility allows you to dump the memory of a specific process that you’re interested in. We saw in question 3 what the process ID (PID) was for notepad.exe, so we can plug that into our command as follows:
volatility -f triageMemory.mem — profile=Win7SP1x64 memdump — pid=3032 — dump-dir=/root/Documents
Now generally, I would go with using the ‘strings’ command when analysing a small memory dump because it gives you readable characters that you can quickly scroll through; I even tried to use -n 8 to specify that I only want to look at strings with a minimum of 8 characters, in the hope that the flag would be at least that long. But I fell into a trap of scrolling through this file for way too long, before I realised… wait, I haven’t done the first step that I should do in every CTF challenge like this. Grep for the flag. And there it was…
15. 8675309. What is the shortname of the file at file record 59045?
At first I didn’t really understand what shortname was. After some googling, I realised it was referring to short paths: https://superuser.com/questions/348079/how-can-i-find-the-short-path-of-a-windows-directory-file.
This didn’t help me find the flag at all but now I know what it means to refer to a document’s short name. The file record on the other hand I knew I could obtain by looking at the MFT, as this is where files can be retrieved from an NTFS partition.
volatility -f triageMemory.mem — profile=Win7SP1x64 mftparser > mft.txt
By searching for the file record, there is only one instance that shows an Excel spreadsheet with the common name, and the short name.
16. whats-a-metasploit. This box was exploited and is running meterpreter. What PID was infected?
The simple use of the netscan plugin with trusty grep will give you the flag here. Metasploit generally runs on port 4444, so we can see that only one process, PID 3496 (UWkpjFjDzM.exe), is listening on that port.
Ah good old crypto which I thought would have been steganography.
There was a DFA Crypto Challenge as part of this CTF, which is merely the image to the left. We can straightaway see some good old hexadecimal values.
Using Cyber Chef, the first thing I did was convert this from hex, giving me: poqdckhn. I thought perhaps they used Caeser’s shift or any other common substitution cipher. But then Vigenere came up in the search option so I gave that a try with key ‘DFA’ and that didn’t really give me anything to work with; ‘champlain’ did though: nhqrnzhf. Look at those n’s and h’s. Totally looks like they could be vowels right? It’s rot13 time. We get ‘audeamus’, which I swore I thought that sounded like a motto from the military (… it is, from Canadian Special Forces), but it’s also Champlain College’s motto!
Like I said, that was a great learning experience for me, and perhaps you were able to learn a few different ways of extracting forensic information from a memory dump after reading this write-up too.