Brave (Cyberdefenders)
Category: Digital Forensics
ມື້ນີ້ເຮົາຈະມາແກ້ໂຈດຈາກໄຟລ໌ memory ຈາກເຄື່ອງ Windows ທີ່ຖືກຢຶດມາ. ເຮົາຈະມາວິເຄາະຫາຂໍ້ມູນ ແລະ ຕອບຄໍາຖາມໄປພ້ອມໆກັນ. ໂດຍໃຊ້ Program:
- volatility3
- HxD
memdump.mem ຄືໄຟລ໌ໜ່ວຍຄວາມຈໍາທີ່ໃຊ້ເກັບຂໍ້ມູນ Binary
Q1.What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)
python vol.py -f "C:\Users\melon\Desktop\memdump.mem" windows.infoKernel Base 0xf8043cc00000
DTB 0x1aa000
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf8043d80f368
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors 4
SystemTime 2021-04-30 17:52:19
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Tue Oct 11 07:04:26 1977plugin windows.info ແມ່ນມັນຈະໃຫ້ຂໍ້ມູນລາຍລະອຽດກ່ຽວກັບໄຟລ໌ “memdump.mem” ເປັນຕົ້ນແມ່ນ ລະບົບປະຕິບັດການ, ເວລາຂອງລະບົບ, ລາຍລະອຽດຂອງລະບົບ.
Q2.What is the SHA256 hash value of the RAM image?
ນໍາໃຊ້ໂປຣແກຣມ File_CheckSum.py ທີ່ຂຽນດ້ວຍພາສາ python
import hashlib
def calculate_hash(filename, hash_type):
if hash_type == 'md5':
hash_func = hashlib.md5()
elif hash_type == 'sha1':
hash_func = hashlib.sha1()
elif hash_type == 'sha256':
hash_func = hashlib.sha256()
else:
raise ValueError('Unsupported hash type')
with open(filename, 'rb') as f:
for chunk in iter(lambda: f.read(4096), b''):
hash_func.update(chunk)
return hash_func.hexdigest()
if __name__ == '__main__':
filename = input('Enter the file path: ')
hash_type = input('Enter the hash type (md5, sha1, or sha256): ')
try:
hash_value = calculate_hash(filename, hash_type)
print(f'{hash_type.upper()} hash of {filename}: {hash_value}')
except Exception as e:
print(f'Error: {e}')Run ໄຟລ໌ດ້ວຍ cmd:
C:\Users\melon\Desktop>python File_CheckSum.py
Enter the file path: C:\Users\melon\Desktop\memdump.mem
Enter the hash type (md5, sha1, or sha256): sha256
SHA256 hash of C:\Users\melon\Desktop\memdump.mem: 9db01b1e7b19a3b2113bfb65e860fffd7a1630bdf2b18613d206ebf2aa0ea172Q3.What is the process ID of “brave.exe”?
python vol.py -f "C:\Users\melon\Desktop\memdump.mem" windows.pslist.PsList
plugin windows.pslist.PsList ຈະສະແດງລາຍລະອຽດຂອງ Program ທີ່ເຮັດວຽກເທິງລະບົບ. ເຊັ່ນ: ຕົວເລກ Pid, offset ທີ່ຢູ່ຂອງໄຟລ໌, ຊື່ໂປຣແກຣມ ແລະ ເວລາ ເປັນຕົ້ນ.
Q4.How many established network connections were there at the time of acquisition? (number)
python vol.py -f "C:\Users\melon\Desktop\memdump.mem" windows.netscan.NetScan > netscan.txtຫຼັງຈາກນັ້ນໃຊ້ Program text Editot ຫຼື Code Editor ເປີດໄຟລ໌ netscan.txt ແລ້ວຄົ້ນຫາຄໍ່ວ່າ ESTABLISHED ຈະເຫັນວ່າມີ 10 ການເຊື່ອມຕໍ່.
Q5.What FQDN does Chrome have an established network connection with?
ຂໍ້ນີ້ແມ່ນຫາ IP ທີ່ມີການເຊື່ອມຕໍ່ Network ຈາກໂປຣແກຣມ Chrome ຈະເຫັນວ່າມີຫຼາຍ IP ເຊັ່ນ: 185.70.41.35 ແລະ 185.70.41.130
ນໍາ IP ໄປຄົ້ນຫາຂໍ້ມູນຕໍ່ https://www.whois.com/whois/185.70.41.130 ກໍຈະພົບຄໍາຕອບ % Abuse contact for ‘185.70.40.0–185.70.43.255’ is ‘email@protonmail.ch’
Q6.What is the MD5 hash value of process executable for PID 6988?
python vol.py -f "C:\Users\melon\Desktop\memdump.mem" windows.pslist.PsList
Process ID 6988 ແມ່ນມີ Program OneDrive ເຮັດວຽກຢູ່ => ຕໍ່ໄປເຮົາຈະ Dump File “OneDrive” ອອກມາ, ຕາມ Process ID 6988.
python vol.py -f "C:\Users\melon\Desktop\memdump.mem" -o dumpfilezzz/ windows.pslist.PsList --pid 6988 --dumpC:\Users\melon\Desktop>python File_CheckSum.py
Enter the file path: C:\Users\melon\dumpfilezzz\pid.6988.0x1c0000.dmp
Enter the hash type (md5, sha1, or sha256): md5
MD5 hash of C:\Users\melon\dumpfilezzz\pid.6988.0x1c0000.dmp: 0b493d8e26f03ccd2060e0be85f430afQ7.What is the word starting at offset 0x45BE876 with a length of 6 bytes?
ເປີດໂປຣແກຣມ HxD ຂຶ້ນມາ, ແລ້ວເປີດໄຟລ໌ memdump.mem ແລ້ວຫາຄໍາຕອບຈາກທີ່ຢູ່ offset ທີ່ມັນໃຫ້ມາ, ຈາກຮູບຂ້າງລຸ່ມoffset 0x45BE876 ແມ່ນເລີ່ມຈາກ h ສະນັ້ນຄໍາຕອບຂອງເຮົາກໍຄື “hacker”
Q8.What is the creation date and time of the parent process of “powershell.exe”? (YYYY-MM-DD HH:MM:SS)
python vol.py -f "C:\Users\melon\Desktop\memdump.mem" windows.pstree.PsTreeຫາເວລາທີ່ມີການເອີ້ນໃຊ້ງານຕົວໄຟລ໌ “powershell.exe” ຈາກຮູບດ້ານລຸ່ມແມ່ນອີງຕາມເວລາຂອງ Process ໄຟລ໌ “userinit.exe” ທີ່ມີການເປີດໄຟລ໌ explorer.exe > VBoxTray.exe ແລະ powershell.exe ຕາມລໍາດັບ.
Q9.What is the full path and name of the last file opened in notepad?
python vol.py -f "C:\Users\melon\Desktop\memdump.mem" windows.cmdline.CmdLine
plugin windows.cmdline.CmdLine ສະແດງຂໍ້ມູນຂະບວນການຂອງໂປຣແກຣມທີ່ຖືກເອີ້ນໃຊ້ງານດ້ວຍຄໍາສັ່ງຜ່ານຕົວ command-line (CMD)
Q10.How long did the suspect use Brave browser? (hh:mm:ss)
python vol.py -f "C:\Users\melon\Desktop\memdump.mem" windows.registry.userassist.UserAssist
plugin windows.registry.userassist.UserAssist ຈະສະແດງຂໍ້ມູນການຕັ້ງຄ່າຂອງ registry ແລະ ຂໍ້ມູນທົ່ວໄປກ່ຽວກັບໄຟລ໌
