Thank you to everyone for visiting! Here is the writeup:
Forensics (not memory forensics - different challenge) TryHackMe Challenge:
sudo ./volatility_2.5_linux_x64 -f victim.raw --profile=Win7SP1x64 imageinfo
(windows.info.Info for python version)
sudo ./volatility_2.5_linux_x64 -f victim.raw --profile=Win7SP1x64 pslist
sudo ./volatility_2.5_linux_x64 -f victim.raw --profile=Win7SP1x64 shellbags
(plugin thats used for getting info about directories - in our case the viewed ones - this info comes mostly from the registry
(Look into the path -> Z:\logs\deleted_files)
sudo ./volatility_2.5_linux_x64 -f victim.raw --profile=Win7SP1x64 -h | grep net
(this finds different command options like "net" - netscan)
sudo ./volatility_2.5_linux_x64 -f victim.raw --profile=Win7SP1x64 netscan
for this next question we can use malfind
which is a plugin for finding malicious code injected into malicious processes and malicious processes themselves
sudo ./volatility_2.5_linux_x64 -f victim.raw --profile=Win7SP1x64 malfind
Now we can use these PIDs to memdump and find more info on them
sudo ./volatility_2.5_linux_x64 -f victim.raw --profile=Win7SP1x64 memdump -p 1820,1860,2464 -D .
(-D allows us to specify dump dir for VAD files; and . is this dir)
then we can view strings inside 1820.dmp - first one
with this
strings 1820.dmp | grep "www.go" | grep ".ru"
(my command)
then we can try these, or see other .dmp files
We can do the same thing again for the other question
strings 1820.dmp | grep "www.i" | grep ".com"
Again
strings 1820.dmp | grep "www.ic" | grep ".com"
--same--
and then
sudo ./volatility_2.5_linux_x64 -f victim.raw --profile=Win7SP1x64 envars | grep "2464"
OANOCACHE
