You can read this writeup on my GitBook account Link

Scenario:

A memory image was acquired from a suspected compromised Windows workstation. The system belonged to a user flagged for potentially malicious activities, including unauthorized access attempts and unusual browsing patterns. The security team observed network activity to external IPs associated with encrypted communication services.

Your task is to analyze the provided memory dump to uncover details about the processes involved, identify active connections at the time of the compromise, and trace the usage patterns of specific applications.

Tools:

Volatility Workbench , HxD, WhoIs , Python3 , Volatility 3, Get-FileHash, Notepad++

First i am using Volatility Workbench as my volatility3 GUI version instead of the command line version to work easily on windows, Link HERE

Q1: What time was the RAM image acquired according to the suspect system?

Using Windows.info.Info command we can see the answer is under systemTime section

Q2: What is the SHA256 hash value of the RAM image?

Using the basic command to get the SHA256 hash value of the RAM image

Q3: What is the process ID of brave.exe?

Using Windows.pslist.PsList command to get the pid of brave.exe

Q4: How many established network connections were there at the time of acquisition?

As i’m on windows and i’m using volatility workbench, so i don’t have the option to grep the answer as we can do on linux, but i got the alternative :)

Using Windows.netscan.NetScan command to scan for network objects present in this windows memory image

And then we can take the whole output copy and paste it into notepad++ to see how many established network connections using ctrl+f to to find how many the word ESTABLISHED has been repeated in the whole output,

we can see the count matches here in the following image :)

Q5: Which domain name does Chrome have an established network connection with?

Using Windows.netscan.NetScan command to scan for network objects present in this windows memory image

We will scroll down until we see this line, chrome.exe process established a connection with this ip address, so we can hop on WhoIs to see which domain this ip address belongs to

Q6: What is the MD5 hash value of the process executable for PID 6988?

Unfortunately this question i couldn't solve it using the volatility workbench, so i used the volatility 3 on windows to dump the file correctly and get the MD5 hash value of pid 6988 (OneDrive.exe)

Q7: Can you identify the word that begins at offset 0x45BE876 and is 6 bytes long?

we cn use HxD Editor, open the memory image file using HxD, ann then click ctrl+g to go to a specific offset

the offset will begin from what we typed, so we have to count the next 6 bytes to get the desired word

Q8: What is the creation date and time of the parent process of powershell.exe?

Using windows.pstree to get the tree hierarchy of the processes

so we need to get the creation date and time for explorer.exe process with pid 4352

Q9: What is the full path and name of the last file opened in notepad?

We can use this setting to get the appropriate outcome

Q10: How long did the suspect use Brave browser? (In Hours)

Using windows.registry.userassist to print userassist registry keys and information about each process

Because the output is very long, we need to search in it, so put the output inside a text file, then search for brave inside it

Be aware that we are looking for Brave, not Updater, not a link file, Just the real Brave process that we are looking for