MemLabs: Lab 4 - Obsession (“Medium”)
From https://github.com/stuxnet999/MemLabs: "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."
I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 4.
Challenge Description: “My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me. Note: This challenge is composed of only 1 flag. The flag format for this lab is: inctf{s0me_l33t_Str1ng}”
I started by identifying which memory profile to use:
volatility.exe -f MemoryDump_Lab4.raw imageinfo
Which tells us that the suggested profiles are:
Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
From pslist I see one process of particular interest:
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
0xfffffa8000f18b30 StikyNot.exe 2432 3012 10 137 2 0 2019-06-29 07:29:37 UTC+0000
The contents of sticky notes are saved in .snt files so, in order to look for these, I ran filescan and sent the output to a text file:
volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP1x64 filescan > filescan.txt
Within filescan.txt I searched for “.snt” and found one match:
Offset(P) #Ptr #Hnd Access Name
0x000000003fd40910 17 1 RW-r-- \Device\HarddiskVolume2\Users\SlimShady\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
I extracted this file with dumpfiles:
volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP0x86 dumpfiles –D ./StickyNotes -Q 0x000000003fd40910 –n
Opening with "Structured Storage Viewer" gave some human readable text: "The clipboard plugin works well but doesn't give the flag :P ". It turns out that AXIOM also parses this file and previews it very nicely as an “RTF Document” under “Documents”:
I spent a while looking at the output of the clipboard command fruitlessly. Even if it doesn’t give the flag I thought perhaps it provides a clue or a stepping stone? I couldn’t find anything useful so I decided to move on. Having processed the memory dump in AXIOM I browsed for notable files. The IE History, LNK files and Recently Accessed Files/Folders artefacts were particularly useful. This is where I noted “Important.txt” on two users' desktops:
“C:\Users\SlimShady\Desktop\Important.txt” and “C:\Users\eminem\Desktop\Important.txt”
This file is noted in filescan.txt:
Offset(P) #Ptr #Hnd Access Name
0x000000003fc398d0 16 0 R--rw- \Device\HarddiskVolume2\Users\SlimShady\Desktop\Important.txt
However, dumpfiles fails to extract it. From the challenge description we know that the file(s) of interest were deleted so I looked in filescan.txt for RecycleBin entries or $I/$R files without any luck. I tried extracting the $MFT using dumpfiles and parsing it with MFTDump but this was unsuccessful. When researching MFT extraction with Volatility I found a reference to the mftparser command which achieved what I had been trying to do:
volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP1x64 mftparser > mft.txt
Searching for “Important.txt” within the output “mft.txt” shows us that the file is resident in the MFT:
Taking the contents of $DATA and removing spaces/line breaks gives "inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3} Good work :P"
Summary of flags:
- inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3}
