With month 2 in the book, we kick off Memory for the month of December! Aaron Sparling kicks it off with seven (yes, seven!) questions with lots of points up for grabs.
Challenge 9 ( Nov 30 - Dec 7 ) Part 1 (25)
The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.
Where do we even start you ask? Well, there aren't many tools that can parse memory images. Luckily, Aaron introduced me too a fantastic tool called MemProcFS from Ulf Frisk this summer (check out his Forensic Lunch episode as well as Aaron and Jessica Hyde's SANS Summit talk). It allows you to mount the memory image as a drive on your machine and can traverse it using Windows Explorer.
**Note - Associate .mem files with MemProcFS and you can just double-click it to automount making it much easier than going through the command line.
Once mounted we can traverse to the "name" folder which will list out all running processes with their associated PIDs.
Thinking of what application the user could type and write in one stuck out right away, WINWORD or Microsoft Word. We can look inside the "files > handles" folder to see what was open and being used by Word at the time of collection. One file seemed like a reasonable place to start:
fffffa80326de810-AutoRecovery save of Document1.asd
"An ASD file is a temporary backup created by Microsoft Word, a word processing program used to author documents. It contains a snapshot copy of the currently opened Word document." - FileInfo
Opening up the .asd file inside a text editor, we see plaintext content including the password!
The password is "wow_this_is_an_uncrackable_password".
Challenge 9 ( Nov 30 - Dec 7 ) Part 2 (15)
What is the md5 hash of the file which you recovered the password from?
vol.py -f memdump.mem --profile=Win7SP1x64 filescan | grep 'Document1.asd'
vol.py -f memdump.mem --profile=Win7SP1x64 dumpfiles -Q 0x000000013e6de810 -n --dump-dir ~/Downloads
Challenge 9 ( Nov 30 - Dec 7 ) Part 3 (15)
What is the birth object ID for the file which contained the password?
vol.py -f memdump.mem --profile=Win7SP1x64 mftparser --output-file ~/Downloads/mftparser.txt
Opening the resulting file and searching for "Document1.asd" shows the MFT entry for the file along with the Birth Object ID.
The answer being "31013058-7f31-01c8-6b08-210191061101".
Challenge 9 ( Nov 30 - Dec 7 ) Part 4 (20)
What is the name of the user and their unique identifier which you can attribute the creation of the file document to?
Format: #### (Name)
This one was fairly simple once you figured out the format. We can go back to MemProcFS for this one and open the "name\WINWORD.EXE-3180\user" folder. Inside we can pull out the SID and the user name.
sid.txt = S-1-5-21-4288132831-552422005-3632184702-1000
user.txt = Warren
Since they only want four characters for the SID, the answer is "1000 (Warren)".
Challenge 9 ( Nov 30 - Dec 7 ) Part 5 (25)
What is the version of software used to create the file containing the password?Format ## (Whole version number, don't worry about decimals)
Another easy one found using MemProcFS. It can process any registry hives found in memory and recreate them as folder structures. So we can navigate down the following folder:
Having a little prior knowledge of Windows registry hives for Office it keeps version info in subfolders.
Challenge 9 ( Nov 30 - Dec 7 ) Part 6 (20)
What is the virtual memory address offset where the password string is located in the memory image?Format: 0x########
vol.py -f memdump.mem --profile=Win7SP1x64_24000 yarascan -p 3180 --yara-rules="wow_this_is_an_uncrackable_password"
-p = supplies the PID for the WINWORD process
--yara-rules = string/password to search for
The left side shows the hexidecimal interpretation of the physical offset for the password string, the answer being "0x02180a2d".
Challenge 9 ( Nov 30 - Dec 7 ) Part 7 (20)
What is the physical memory address offset where the password string is located in the memory image?
I knew I had the virtual address already but didn't know how to go about converting it to a physical memory space. I tried looking at Volatility plugins 'memmap', 'vadinfo' and 'vaddump' but nothing jumped out to me on how to make it work. Browsing through the wiki for MemProcFS I found exactly what I wanted.
There was a plugin that could convert the hexidecimal virtual address to a physical address. All you have to do is edit the "virt" file at the following path mounted path:
I entered "0000000002180a2d" into the "virt" file and the output in the "phys" file resulted in "000000000af12a2d". Since the format needed be in 0x format, the answer is "0xaf12a2d".
While I'm still learning how to analyze memory images, this challenge definitely gave me a few new plugins to use in future cases. It goes without saying that MemProcFS is a great complementary addition to Volatility as a memory analysis tool.