How to Use Volatility in Memory Forensics | TryHackMe Critical
The post provides a detailed overview of memory forensics, a key aspect of cybersecurity. It focuses on how volatile memory, particularly in Windows operating systems, can be analyzed during cyber incidents. We also solved the room TryHackMe Critical as part of SOC level 1 track.
Memory Forensics In Cyber Security
Memory Forensics: A subset of computer forensics that deals with analyzing the content of a system’s RAM (Random Access Memory) to understand what was happening on a machine at the time of compromise.
Importance of Memory Analysis: This analysis captures an immediate snapshot of active processes and applications, which is often critical in understanding attacks since data in RAM is lost upon reboot or shutdown.
Memory Acquisition Process: The process of copying live memory to a file, called a memory dump, is essential for preserving data for analysis. The video also discusses various tools like FTK Imager, lime, and OSF used to acquire memory depending on the OS (Windows, Linux, Mac).
Analyzing Memory Dumps: Using tools like Volatility (a memory forensics tool), users can extract key system information like the kernel base address, OS version, and active processes.
Key Plugins in Volatility: Several plugins help investigate network activities, processes, and file access. Plugins like windows.netstat and windows.pstree are highlighted for analyzing network connections and processes in a hierarchical manner.
Network Forensics: The video emphasizes the importance of analyzing active network connections, especially those that indicate ongoing remote sessions (like RDP), which attackers might use to control a machine.
Investigating Malicious Processes: Using Volatility’s plugins, viewers are shown how to identify malicious processes, trace their parent-child relationships, and look deeper into files and directories they accessed.
HTTP Requests and Attack Detection: The presenter showcases an investigation into HTTP requests captured in memory, revealing potential encryption key exchanges between an attacker’s server and the compromised machine.
Timestamp and File Access Analysis: The video demonstrates how to retrieve and analyze file timestamps to track when specific malicious files, such as a PDF document, were created and accessed.
Room Answers | TryHackMe Critical
Room answers can be found here.
