Room Banner

Memory Forensics

Perform memory forensics to find the flags

easy

45 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Introduction

Perform memory forensics to find the flags. If you are having trouble, maybe check out the volatility room first.

Enjoy!


Please note: The size of the attached vmem file to download for each Task is large: 1.07 GB.


Here are some resources I used, check them out for more information:

Volatility: https://github.com/volatilityfoundation/volatility/

Volatility wiki: https://github.com/volatilityfoundation/volatility/wiki

Cheatsheet: https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples


Room icon credit: https://book.cyberyozh.com/counter-forensics-anti-computer-forensics


Answer the questions below
I have understood the task and can continue to the questions!
The forensic investigator on-site has performed the initial forensic analysis of John's computer and handed you the memory dump he generated on the computer. As the secondary forensic investigator, it is up to you to find all the required information in the memory dump.
Answer the questions below
What is John's password?


On arrival a picture was taken of the suspect's machine, on it, you could see that John had a command prompt window open. The picture wasn't very clear, sadly, and you could not see what John was doing in the command prompt window.

To complete your forensic timeline, you should also have a look at what other information you can find, when was the last time John turned off his computer?

Answer the questions below

When was the machine last shutdown?

What did John write?


A common task of forensic investigators is looking for hidden partitions and encrypted files, as suspicion arose when TrueCrypt was found on the suspect's machine and an encrypted partition was found. The interrogation did not yield any success in getting the passphrase from the suspect, however, it may be present in the memory dump obtained from the suspect's computer.

Answer the questions below
What is the TrueCrypt passphrase?

Created by

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

12,121

Created

1602 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more