Memory Forensics
Perform memory forensics to find the flags
easy
To access material, start machines and answer questions login.
Perform memory forensics to find the flags. If you are having trouble, maybe check out the volatility room first.
Enjoy!
Please note: The size of the attached vmem file to download for each Task is large: 1.07 GB.
Here are some resources I used, check them out for more information:
Volatility: https://github.com/volatilityfoundation/volatility/ (opens in new tab) (opens in new tab)
Volatility wiki: https://github.com/volatilityfoundation/volatility/wiki (opens in new tab)
Cheatsheet: https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples (opens in new tab) (opens in new tab)
Room icon credit: https://book.cyberyozh.com/counter-forensics-anti-computer-forensics (opens in new tab)
On arrival a picture was taken of the suspect's machine, on it, you could see that John had a command prompt window open. The picture wasn't very clear, sadly, and you could not see what John was doing in the command prompt window.
To complete your forensic timeline, you should also have a look at what other information you can find, when was the last time John turned off his computer?
When was the machine last shutdown?
A common task of forensic investigators is looking for hidden partitions and encrypted files, as suspicion arose when was found on the suspect's machine and an encrypted partition was found. The interrogation did not yield any success in getting the passphrase from the suspect, however, it may be present in the memory dump obtained from the suspect's computer.
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in