Thứ Năm, 22 tháng 10, 2020

[Learning] Memory Forensics with Volatility

 In order to training for CTF competition, today I go on with Memory Forensics, especially in Memory Dump. Let's begin!

+ Explanation

- Memory Forensics

Memory Forensics can provide unique insights into runtime system activity, including open network connections and recently executed commands or processes. In many cases, critical data pertaining to attacks or threats will exist solely in system memory – examples include network connections, account credentials, chat messages, encryption keys, running processes, injected code fragments, and internet history which is non-cacheable.

- Memory Dump: 

A Memory Dump (also known as a core dump or system dump) is a snapshot capture of computer memory data from a specific instant. A memory dump can contain valuable forensics data about the state of the system before an incident such as a crash or security compromise. Memory dumps contain RAM data that can be used to identify the cause of an incident and other key details about what happened.

- Volatile Data:

Volatile data is the data stored in temporary memory on a computer while it is running. When a computer is powered off, volatile data is lost almost immediately. Volatile data resides in a computer’s short term memory storage and can include data like browsing history, chat messages, and clipboard contents.

+Types of Memory Dumps

- Complete memory dump:

 A complete memory dump is the largest type of possible memory dump. This contains a copy of all the data used by Windows in physical memory. So, if you have 8 GB of RAM and Windows is using4 GB of it at the time of the system crash, the memory dump will be 4 GB in size. Crashes are usually caused by code running in kernel-mode, so the complete information including each program’s memory is rarely useful — a kernel memory dump will usually be sufficient even for a developer.

- Kernel memory dump: 

A kernel memory dump will be much smaller than a complete memory dump. Microsoft says it will typically be about one-third the size of the physical memory installed on the system.

- Small memory dump:

A small memory dump is the smallest type of memory dump. It contains very little information — the blue-screen information, a list of loaded drivers, process information, and a bit of kernel information. It can be helpful for identifying the error, but offers less detailed debugging information than a kernel memory dump.

- Automatic memory dump:

This is the default option, and it contains the exact same information as a kernel memory dump


+ Volatility Framework:

Volatility is an open-source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft WindowsMac OS X, and Linux, for the extraction digital artifacts from volatile memory (RAM) samples. The framwork is intended to introduce people to the techniques and complexities associated with digital artifacts and provide a platform for further work into this exciting area of research.


+ Install :

git clone


+ Usage : (require python 2.x with Pycrypto & distorm3.4.4)

In this article, I will demo a simple script with memory dump : Get all passwords of users in windows. Let's setup!

I'm going to use 2 VMware machine : My Ubuntu (20.04.1) and Windows XP

+ On win XP: Install DumpIt from Moonsol company

Press y and waiting for process ...

The raw file right here, it contains all information about current RAM used in Windows 10 VM machine at the time dumplt has ran .

Let's move or copy the file to the machine which installed Volatility 

+ On My Ubuntu:

volatility -f <file_dump.raw> imageinfo

-f : file

imageinfo: Identify information for the image 

 And here is the result 

At suggested profile row, this is the host created raw file which being analyzed. In this case, the result is WinXPSP2 x86 is correct.

Next step, the information we need to claim is hivelist. Hivelist is the address of the place which contains information about users in target machine.


volatility -f <file_dump.raw> --profile=PROFILE hivelist

hivelist:extract the list of registry hive in memory dump 

The above result present key of user at the time dumplt take snapshot. The next step is to find hash pasword 

With the Virtual offset of SYSTEM and SAM , we can absolutely extract the hash (in my result : SAM is 0xe16116b8 and SYSTEM is 0xe1035b60)

volatility -f <file_dump.raw> --profile=<profile> hashdump -y <SYSTEM offset> -s <SAM offset> > hashes.txt

hashdump: Dump password hash from memory

Result :

Using John or Hascat to decrypt it, or a md5 crack 


Another script with memory dump using voltility : I will read specified content of notepad file which created by user

+On windows 7

Compose an abitrary text in notepad and snapshot memory with DumpIt 

Move file to Ubuntu, analyze it with above steps

Use command 
volatility -f <file_dump.raw> --profile=Win7SP1x86_23418 pslist | grep notepad 

 pslist: Print all running processes by following the EPROCESS lists.

this result is exactly what we expected!

We got the PID of notepad's processing (3244), continue using command

volatility -f /home/ubuntu/xanh.raw --profile=Win7SP1x86_23418 memdump --dump-dir=./ -p 3244

memdump: Dump the addressable memory for a process

okay, next step, we grep the content that we want to check

strings -e l ./3244.dmp | grep "flag"

 One more ability I want to demo with you guys: review cmd history on target machine

Step 1: Find profile with imageinfo :

Use command

/home/ubuntu/xanh.raw --profile=Win7SP1x86_23418 cmdscan

cmdscan: Extract command history by scanning for _COMMAND_HISTORY

And the result is exactly which we expected

+ Memory Forensics in CTF


Investigation - InCTF Internationals 2020

Download file: here

this file has .7z extension. After checking this type with file command, I extracted it on Windows and send to my Ubuntu.

Analyze it using Volatility

As you can see, profile is : Win7SP1x64

Question 1: When did Adam last use the Windows calculator?

Firstly, I use pslist to enum all processes which Adam have used. But when look through the table, I can't find calc.exe process

Searching for this issue, I accidentally get here. And the picture below is attracted to me

Let's check this plugin, using

volatility -f win7.vmem --profile=Win7SP0x86 userassist
userassist: Print userassist registry keys and information

And I completely answer the question 1. 

Question 2: How many times did Adam use Google Chrome in this system?

The answer has alredy been in userassist

2. NightSt0rm CTF 2017

Misc 100 : TRYHARD

Welcome to the journey of memory analysis. In the last step, you can use the password found in the WeakAuth challenge. Goodluck!

Download file here

After download and extract this file, we have .bin file. Turn on Volatility and analyze it

Profile: Win7SP1x86_23418

We can see cmd.exe. Let's take a look on it!

Well, good news: We found the file contains flag. Bad news: It's had completely been removed (sdelete.exe). Hmm,Save this task here, move on to another task

When I review internet explore process by iehistory, I see this interesting link. Follow it!

But the file had already been deleted by author ...(of course, this competition is held in 2017)

After looking some write up, I realize that this file couldn't open manually after downloaded, because it was encrypted by GPG

GnuPrivacy Guard (GPG) allows you to securely encrypt files so that only the intended recipient can decrypt them. ... GPG relies on the idea of two encryption keys per person. Each person has a private key and a public key. The public key can decrypt something that was encrypted using the private key.
Using grep to view all PGP key

Import all found key and decrypt 
pdf file we "had" downloaded (imagination) using gpg command

After that we had flag ...


Happy Learning!

Không có nhận xét nào:

Đăng nhận xét

Phổ Biến