While work and work applications and trial periods are definitely keeping my free time at an absolute minimum I will not give up fighting my way through the Advent of Cyber! So despite the lateness, onward to the rather short Day 11!
Day 11
What is the Windows version number that the memory image captured?
In this task we will be using Volatility to do some memory forensics on the supplied OS image, and once the system comes up we can check that Volatility is ready for action by simply entering the /home/elfmcblue/volatility3/ directory and running python3 vol.py in the terminal.
Once that’s confirmed we can point it at the memory image located in the same with the -f argument and windows.info plugin with the command python3 vol.py -f workstation.vmem windows.info. After the lenghty scan finishes we will find the correct answer to the first question in the NtMajorVersion row.
What is the name of the binary/gift that secret Santa left?
Moving on we’ll need to use the windows.pslist module to print out a list of processes that were running at the time the snapshot was takes, and going through the list (hint, start from the end) carefully we can find one executable that stands out from the rest.
What is the Process ID (PID) of this binary?
The Process ID (PID) of the process is the very first entry on the process row. In this case it’s four digits long.
Dump the contents of this binary. How many files are dumped?
Finally we’ll be dumping the contents of the suspicious process by using the windows.psscan plugin and –pid $PID argument in our command. Once we get the list of all the files we can just tally them up and get the answer to the final question of the day.