Reading Time : 2min

Cyberdefenders Brave Walkthrough


Challenge/Competition: Brave link

By: DFIRScience link


Scenario

A memory image was taken from a seized Windows machine. Analyze the image and answer the provided questions.

Walkthrough

Q1: What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)

Ans:  2021-04-30 17:52:19

Detail: we can get system time at the time the image was taken by using
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.info


Q2: What is the SHA256 hash value of the RAM image?

Ans:  9db01b1e7b19a3b2113bfb65e860fffd7a1630bdf2b18613d206ebf2aa0ea172

Detail: I used sha256sum command for that
sha256sum 20210430-Win10Home-20H2-64bit-memdump.mem


Q3: What is the process ID of “brave.exe”?

Ans:  4856

Detail: we can get pid for processes by using
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pslist


Q4: How many established network connections were there at the time of acquisition? (number)"?

Ans:  10

Detail: we can get pid for processes by using netscan plugin for volatility but some regex can make things easy.
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.netscan | grep -i established


Q5: What FQDN does Chrome have an established network connection with?

Ans:  protonmail.ch

Detail: in above picture we can see that chrome.exe was connected to 185.70.41.130. to check FQDN for this IP address we can use nslookup
nslookup 185.70.41.130


Q6: What is the MD5 hash value of process executable for PID 6988?

Ans:  0b493d8e26f03ccd2060e0be85f430af

Detail: first we need to dump the process and for that purpose we can use
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pslist –pid 6988 –dump

And after that, to get md5 hash we can use
md5sum pid.6988.0x1c0000.dmp


Q7: What is the word starting at offset 0x45BE876 with a length of 6 bytes?

Ans:  hacker

Detail: for this we can use any hex editor and simply by going to said offset location we can check number of said characters.


Q8: What is the creation date and time of the parent process of “powershell.exe”? (YYYY-MM-DD HH:MM:SS)

Ans:  2021-04-30 17:39:48

Detail: to check parent/child process relation in easy way we can use pstree plugin for volatility
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pstree


Q9: What is the full path and name of the last file opened in notepad?

Ans:  C:\Users\JOHNDO~1\AppData\Local\Temp\7zO4FB31F24\accountNum

Detail: cmdline plugin can be used to get commandline arguments for a process
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.cmdline | grep -i notepad


Q10: How long did the suspect use Brave browser? (hh:mm:ss)

Ans:  04:01:54

Detail: userassist registry under NTUSER.dat hive contains information about program execution and we can use “windows.registry.userassist” plugin to extract that information.
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.registry.userassist | grep -i brave