Learning Objectives
- Understand what memory forensics is and how to use it in a digital forensics investigation
- Understand what volatile data and memory dumps are
- Learn about Volatility and how it can be used to analyse a memory dump
- Learn about Volatility profiles
Creating profiles is out of scope for this room, so for your convenience, a profile is already in the /home/ubuntu/Desktop/Evidence
directory called Ubuntu_5.4.0-163-generic_profile.zip.
Open up the terminal
got to /home/ubuntu/Desktop/Evidence
this directory.
To use the profile, we have to copy it where Volatility stores the various profiles for Linux. The command
cp Ubuntu_5.4.0-163-generic_profile.zip ~/.local/lib/python2.7/site-packages/volatility/plugins/overlays/linux/
To examine the history file for any such commands, we can use the linux_bash plugin.
Command
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_bash
After running the above command we find mysql password:
QUESTIONS
- What is the exposed password that we find from the bash history output?
ANSWER
NEhX4VSrN7sV
- What is the PID of the miner process that we find?
ANSWER
10280
To find PID Command:
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_pslist
- What is the MD5 hash of the miner process?
ANSWER
153a5c8efe4aa3be240e5dc645480dee
To extract a process first we need to create a directory. command
mkdir extracted
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_procdump -D extracted -p 10280
now go to extracted folder then use
md5sum miner.10280.0x400000
- What is the MD5 hash of the mysqlserver process?
ANSWER
c586e774bb2aa17819d7faae18dad7d1
First of all we need find the process id of mysqlserver. command:
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_pslist
process id of mysqlserver : 10291 then run
command:
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_procdump -D extracted -p 10291
now go to extracted folder then use
md5sum mysqlserver.10291.0x400000
- Use the command
strings extracted/miner.<PID from question 2>.0x400000 | grep http://
. What is the suspicious URL? (Fully defang the URL using CyberChef)
ANSWER
hxxp[://]mcgreedysecretc2[.]thm
Runthe command:
strings miner.10280.0x400000 | grep http://
- After reading the elfie file, what location is the mysqlserver process dropped in on the file system?
ANSWER
/var/tmp/.system-python3.8-Updates/mysqlserver
run
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_enumerate_files | grep -i cron
now run
vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_find_file -i 0xffff9ce9b78280e8 -O extracted/elfie
go to extracted folder and cat elfie