Tags: volatility memorydump forensics 

Rating:

# Attaaaaack1

## Background

One of our employees at the company complained about suspicious behavior on the machine, our IR team took a memory dump from the machine and we need to investigate it.

Q1. What is the best profile for the the machine?

example : crew{Profile}

[Link](https://drive.google.com/file/d/1T8__WXOPcGqmkubyH-NBokEGk3N_H5hr/view?usp=share_link)

Author : 0xSh3rl0ck

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230710142806.png)

## Find the flag

**In this challenge, we can download a [file](https://drive.google.com/file/d/1T8__WXOPcGqmkubyH-NBokEGk3N_H5hr/view?usp=share_link):**
```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|17:23:39(HKT)]
└> ls -lah memdump.raw && file memdump.raw
-rw-r--r-- 1 siunam nam 1.0G Jul 8 16:06 memdump.raw
memdump.raw: Windows Event Trace Log
```

Now, the `raw` extension is a memory dump file.

To perform memory forensic, we can use a tool called **Volatility**. Through out this challenge, I'll use Volatility version 2 (volatility2), I don't know why volatility3 is broken for me...

**According to [HackTricks](https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet#discover-profile), we can discover profile via:**
```shell
volatility imageinfo -f file.dmp
```

```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|17:26:15(HKT)]
└> python2 /opt/volatility/vol.py imageinfo -f memdump.raw
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/siunam/ctf/CrewCTF-2023/Forensics/Attaaaaack/memdump.raw)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82b7ab78L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x80b96000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2023-02-20 19:10:54 UTC+0000
Image local date and time : 2023-02-20 21:10:54 +0200
```

- Profile: `Win7SP1x86_23418`
- **Flag: `crew{Win7SP1x86_23418}`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/).