F 210: Memory Analysis with Autopsy (15 pts + 30 extra)

What You Need for This Project

A Windows machine with Autopsy installed

Purpose

To extract useful information from a memory image.

Installing 7-Zip

If you don't already have it installed, install 7-Zip by downloading the 64-bit version from this page and running it:

https://7-zip.org/

Downloading the Evidence File

Download this file:

memdump.7z (130 MB)

Right-click the file, and click 7-Zip, "Extract Here".

A file named memdump.mem appears.

Use Hashcalc to verify the hash of the file. Your hash values should match the image below.

Launching Autopsy

Launch Autopsy. In the Welcome box, click the Close button.

Enabling the Experimental Module

From the Autopsy menu bar, click Tools, Plugins. Click the Installed tab.

Check the box next to "Experimental", as shown below.

Click the Activate button. Click the Activate button. Click the Finish button.

In the Plugins window, click the Close button.

Creating a New Case

From the Autopsy menu bar, click Case, "New Case".

Enter a Case Name of memory.

Click the Next button.

Click the Finish button.

Importing the Memory Image

In the Add Data Source, at step 1. Select Host, click the Next button.

At step 2. Select Data Source Type, click "Memory Image File (Volatility)", as shown below.

Click the Next button.

At step 3. Select Data Source, click the Browse button and navigate to the memdump.mem file, as shown below.

If you want a thorough analysis, simply click the Next button, but be warned: it will take a long time, perhaps an hour, to run all those plugins.

If you want to speed up the process, clear all the plugins except these:

consoles
hashdump
lsadump
netscan
pslist
shellbags
userassist

At step 4. Configure Ingest, click the Next button.

When the analysis is complete, at the top left, expand "Data Sources" and navigate to the ModuleOutput, as shown in the images below.

Examine the output to find the flags shown below.

F 210.1: Consoles (5 pts)
In the consoles section, find Waldo's password, covered by a green rectangle in the image below.

F 210.2: Hashdump (5 pts)
In the hashdump section, find Waldo's password hash, covered by a green rectangle in the image below.

F 210.3: LSAdump (5 pts)
In the lsadump section, find the default password, covered by a green rectangle in the image below.

F 210.4: Netscan (5 pts extra)
In the netscan section, find the name of the executable listening on port 8080, covered by a green rectangle in the image below.

F 210.5: pslist (5 pts extra)
In the pslist section, find the name of the executable covered by a green rectangle in the image below.

F 210.6: shellbags (5 pts extra)
In the shellbags section, find the name of the shared folder this machine connected to, covered by a green rectangle in the image below.

F 210.7: userassist (5 pts extra)
In the userassist section, find the name of the dangerous executable that ran on 9-13-2013 at 23:12:30, covered by a green rectangle in the image below.

F 210.8: Probe Password (10 pts extra)
Find the password for the probe account, which appeared in the hashdump section.
You will need to crack the hash.
That's the flag.

Posted: 9-7-22
Video added 3-12-23