Reading Time : 2min
A memory image was taken from a seized Windows machine. Analyze the image and answer the provided questions.
Q1: What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)
Ans: 2021-04-30 17:52:19
Detail: we can get system time at the time the image was taken by using
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.info
Q2: What is the SHA256 hash value of the RAM image?
Ans: 9db01b1e7b19a3b2113bfb65e860fffd7a1630bdf2b18613d206ebf2aa0ea172
Detail: I used sha256sum command for that
sha256sum 20210430-Win10Home-20H2-64bit-memdump.mem
Q3: What is the process ID of “brave.exe”?
Ans: 4856
Detail: we can get pid for processes by using
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pslist
Q4: How many established network connections were there at the time of acquisition? (number)"?
Ans: 10
Detail: we can get pid for processes by using netscan plugin for volatility but some regex can make things easy.
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.netscan | grep -i established
Q5: What FQDN does Chrome have an established network connection with?
Ans: protonmail.ch
Detail: in above picture we can see that chrome.exe was connected to 185.70.41.130. to check FQDN for this IP address we can use nslookup
nslookup 185.70.41.130
Q6: What is the MD5 hash value of process executable for PID 6988?
Ans: 0b493d8e26f03ccd2060e0be85f430af
Detail: first we need to dump the process and for that purpose we can use
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pslist –pid 6988 –dump
And after that, to get md5 hash we can use
md5sum pid.6988.0x1c0000.dmp
Q7: What is the word starting at offset 0x45BE876 with a length of 6 bytes?
Ans: hacker
Detail: for this we can use any hex editor and simply by going to said offset location we can check number of said characters.
Q8: What is the creation date and time of the parent process of “powershell.exe”? (YYYY-MM-DD HH:MM:SS)
Ans: 2021-04-30 17:39:48
Detail: to check parent/child process relation in easy way we can use pstree plugin for volatility
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pstree
Q9: What is the full path and name of the last file opened in notepad?
Ans: C:\Users\JOHNDO~1\AppData\Local\Temp\7zO4FB31F24\accountNum
Detail: cmdline plugin can be used to get commandline arguments for a process
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.cmdline | grep -i notepad
Q10: How long did the suspect use Brave browser? (hh:mm:ss)
Ans: 04:01:54
Detail: userassist registry under NTUSER.dat hive contains information about program execution and we can use “windows.registry.userassist” plugin to extract that information.
vol3 -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.registry.userassist | grep -i brave