Writeup by naacbin for Ransomémoire 0/3 - Pour commencer

forensics memory windows

November 6, 2023

Table of contents

Ransomémoire 0/3 - Pour commencer

Resolution

Since this is a Windows memory dump, I immediately used Volweb to help me more easily observe the information in the rest of the challenge. While the analysis was running, I performed some actions manually.

image

To discover the name of the browser currently running, we use the windows.pslist module from volatility3, which allows us to find Brave as browser.

$ python3 vol.py -f fcsc.dmp windows.pslist
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output
[...]
4072    3928    brave.exe       0x818688060300  31      -       1       False   2023-04-17 17:21:31.000000      N/A     Disabled
5064    4072    brave.exe       0x8186872b8300  8       -       1       False   2023-04-17 17:21:39.000000      N/A     Disabled
3952    4072    brave.exe       0x818687ff6080  14      -       1       False   2023-04-17 17:21:44.000000      N/A     Disabled
4060    4072    brave.exe       0x818681344080  12      -       1       False   2023-04-17 17:21:44.000000      N/A     Disabled
2844    4072    brave.exe       0x818688773080  7       -       1       False   2023-04-17 17:21:44.000000      N/A     Disabled
5500    4072    brave.exe       0x8186886980c0  15      -       1       False   2023-04-17 17:21:46.000000      N/A     Disabled
[...]

We can retreive the username of the last user logged into the system using HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LastUsedUsername as registry key or HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser for the last logged on SAM user. However, neither of these could be retrieved using volatility. We searched the user who have used the system by listing the HKU hives present in C:\Users\<Username>\ntuser.dat. This yields the username Admin

$ python3 vol.py -f fcsc.dmp windows.registry.printkey --key "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LastUsedUsername"
$ python3 vol.py -f fcsc.dmp windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser"
$ python3 ~/ctf/forensic/volatility3/vol.py -f fcsc.dmp windows.registry.hivelist

Offset  FileFullPath    File output
[...]
0xe306cd2cd000  \??\C:\Users\Admin\ntuser.dat   Disabled
0xe306cd2ca000  \??\C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat Disabled
[...]

Finally, to retrieve the name of the machine, there is the HKLM\SYSTEM\CurrentControlSet\Control\ComputerName key, but once again, this returns nothing. Knowing that computer names by default start with DESKTOP- under Windows, a good old strings/grep works perfectly. A smarter way would have been to grep on COMPUTERNAME.

$ python3 vol.py -f fcsc.dmp windows.registry.printkey --key "SYSTEM\CurrentControlSet\Control\ComputerName"

$ strings fcsc.dmp| grep "DESKTOP-" | head
3208    728     x64     DESKTOP-PI234GP\Admin   sihost.exe
[...]

$ strings fcsc.dmp| grep "COMPUTERNAME" | head
COMPUTERNAME=DESKTOP-PI234GP

By using ControlSet001\\Control\\ComputerName\\ComputerName you can also retrieve the computer name with volatility.

Flag

FCSC{Admin:DESKTOP-PI234GP:Brave}