[EN] Brave — CyberDefenders
Scenario: A memory image was taken from a seized Windows machine. As a security blue team analyst, analyze the image and answer the provided questions.
We downloaded our file, which is an image file about 4.7 GB in size.
Based on the name of our file, it looks like a memory image of Windows 10 Home edition. We can use the Volatility tool to figure this out. But first, let’s minimize the name of our file to make it easier to work with. Our new file name will be “win10”.
We can work now.
We’re not given the date of the Ram image. Let’s first determine this. We can use our “Volatility” tool for this.
Volatility is an open source memory analysis tool used in digital forensics analysis. This tool is used to examine the RAM (Memory) dumps of computer systems to detect processes, network connections, user sessions and malware currently running on the system.
With the command “python3 vol.py -f win10.mem windows.info” we get general information about the Windows system from the memory dump.
Let me briefly explain the function of this command:
python3: Run a Python script using the Python 3 interpreter.
vol.py: Volatility’s Python script, the main executable file.
-f win10.mem: Used to analyze the memory image file (win10.mem).
windows.info: This is a command of Volatility and provides general information about the memory image. It extracts Windows system information.
Volatility gave us the output. We now know when the RAM image was taken according to the suspect system.
Now let’s find the SHA-256 hash of the RAM image.
The “Get-FileHash win10.mem” command is used in PowerShell to calculate the hash value of a file. This is how we learned our hash value.
Then we need to find the PPID (Parent Process ID) value of the object named “Brave.exe”. PPID is an identification number that shows which parent process started a process in an operating system.
We can try two ways for this. One is to use the command “python3 vol.py -f win10.mem windows.pslist” in Volatility. This command lists the Windows processes in the memory dump.
As soon as we type the command, the brave.exe line appears in front of us.
Another way is Volatility but with a visual interface :)
If you prefer a more user-friendly interface, you can use the ‘Volatility Workbench’ tool. Command-line based Volatility is more preferred for advanced trading. In the command line you have access to all commands, while in the graphical interface some features are limited. Here I just wanted to show that this alternative is also available.
Another piece of information we are asked to find out is how many ‘Established’ network connections there are at the time of the compromise. To see this in a Windows operating system we need to type “netstat -an” at the command line. We will do the same here.
With the command “python3 vol.py -f win10.mem windows.netscan” we can view the active network connections and open ports in the image.
Here, network connections in the ‘Established’ state indicate that a process is actively connecting with another system.
The next step is to determine which FQDN Chrome has an established network connection with. For this, I looked for connections that were ‘Established’.
When I searched the IP address I found on the web, I found that there is a hostname called protonmail.ch.
It asks us to find the MD5 value for the process with ID number 6988. For this we need to print the information of the process with PID 6988 as output. We can do this with the command “python3 vol.py -f win10.mem windows.pslist -pid 6988 -dump”.
We’ve managed to extract the Process, now we can get the MD5 value.
We learn our MD5 value with the command “Get-FileHash .\6988.OneDrive.exe.0x1c0000.dmp -Algorithm MD5 | Format-List”.
We were asked to find the word that starts at offset 0x45BE876 and is 6 bytes long. For this we can view our image file with a hex editor. I will use the ‘HxD’ tool for this.
We opened our image file with our HxD tool and searched for the offset ‘45BE876’.
It wasn’t hard to find the word.
In the image, the date of the Powershell process was requested in hours, minutes and seconds.
For this, we go back to the Volatility tool. Again, as we did before, we extract the process list with the “pslist” command.
Here we find the ‘powershell’ process, but when we go back a bit we see that powershell is started under the explorer process.
We should therefore take the creation time of the ‘explorer.exe’ process as the date.
We are asked to find the file path of the last notepad opened. Let’s detect it with the command “python3 vol.py -f win10.mem windows.cmdline”. This command is used to list the command line arguments of processes on the Windows system.
We found the file path.
We need to find out how long the attacker used the Brave browser.
We used the command “python3 vol.py -f win10.mem windows.registry.userassist” to list the information in the UserAssist key, which keeps track of the applications and files that users have used before.
We got too many results. It is hard to scan the area we need from the command line. So I’m going to make it a bit easier :)
I copy all the data that appears on the command line to notepad.
I do CTRL+F to search for the word ‘Brave’ and I get the information of the application in the UserAssist record.
For example:
This record shows that the user named “John Doe” has opened the Brave browser a total of 9 times, with the last use occurring on April 30, 2021. The area marked in red shows how long the app has been running.
— — — — — — — — — — — — — — — — — — — — —
In conclusion, the knowledge and experience we gained during this CTF event provided us with an important opportunity to increase our competence in forensics and cyber security. Our analysis of a memory image from a compromised Windows machine gave us an in-depth understanding of tracking user behavior, determining the frequency of application usage and detecting potential threats. Thank you to everyone who read and contributed.
You can send me a connection request via “LinkedIn”.
