lhmdmv
10.05.2024, 08:37
1. What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.info
https://forum.antichat.xyz/attachments/29111620/1715313934780.png
Ответ: 2021-04-30 17:52:19
2. What is the SHA256 hash value of the RAM image?
sha256sum 20210430-Win10Home-20H2-64bit-memdump.mem
https://forum.antichat.xyz/attachments/29111620/1715314022224.png
Ответ: 9db01b1e7b19a3b2113bfb65e860fffd7a1630bdf2b18613d2 06ebf2aa0ea172
3. What is the process ID of "brave.exe"?
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pstree
https://forum.antichat.xyz/attachments/29111620/1715314133636.png
Ответ: 4856
4. How many established network connections were there at the time of acquisition? (number)
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.netscan | grep "ESTABLISHED"
https://forum.antichat.xyz/attachments/29111620/1715314159083.png
Ответ: 10
5. What FQDN does Chrome have an established network connection with?
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.netscan | grep "chrome"
https://forum.antichat.xyz/attachments/29111620/1715314191425.png
Далее можно воспользоваться сервисом AbuseIPDB.
https://forum.antichat.xyz/attachments/29111620/1715314249053.png
Ответ: protonmail.ch
6. What is the MD5 hash value of process executable for PID 6988?
Экспорт файла с указанным PID из образа для определения MD5 хеша:
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pslist --pid 6988 --dump
md5sum pid.6988.0x1c0000.dmp
https://forum.antichat.xyz/attachments/29111620/1715315529684.png
Ответ: 0b493d8e26f03ccd2060e0be85f430af
7. What is the word starting at offset 0x45BE876 with a length of 6 bytes?
xxd --seek 0x45BE876 20210430-Win10Home-20H2-64bit-memdump.mem | less
https://forum.antichat.xyz/attachments/29111620/1715314423718.png
Ответ: hacker
8. What is the creation date and time of the parent process of "powershell.exe"? (YYYY-MM-DD HH:MM:SS)
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pstree
https://forum.antichat.xyz/attachments/29111620/1715314467405.png
Родительский процесс - explorer.exe.
Ответ: 2021-04-30 17:39:48
9. What is the full path and name of the last file opened in notepad?
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.cmdline | grep "notepad"
https://forum.antichat.xyz/attachments/29111620/1715314682491.png
Ответ: C:\Users\JOHNDO~1\AppData\Local\Temp\7zO4FB31F24\a ccountNum
10. How long did the suspect use Brave browser? (hh:mm:ss)
Ключ UserAssist содержит информацию об общем времени в секундах, в течение которого приложение находилось в фокусе.
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.registry.userassist | grep "Brave"
https://forum.antichat.xyz/attachments/29111620/1715315115312.png
Ответ: 04:01:54
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.info
https://forum.antichat.xyz/attachments/29111620/1715313934780.png
Ответ: 2021-04-30 17:52:19
2. What is the SHA256 hash value of the RAM image?
sha256sum 20210430-Win10Home-20H2-64bit-memdump.mem
https://forum.antichat.xyz/attachments/29111620/1715314022224.png
Ответ: 9db01b1e7b19a3b2113bfb65e860fffd7a1630bdf2b18613d2 06ebf2aa0ea172
3. What is the process ID of "brave.exe"?
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pstree
https://forum.antichat.xyz/attachments/29111620/1715314133636.png
Ответ: 4856
4. How many established network connections were there at the time of acquisition? (number)
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.netscan | grep "ESTABLISHED"
https://forum.antichat.xyz/attachments/29111620/1715314159083.png
Ответ: 10
5. What FQDN does Chrome have an established network connection with?
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.netscan | grep "chrome"
https://forum.antichat.xyz/attachments/29111620/1715314191425.png
Далее можно воспользоваться сервисом AbuseIPDB.
https://forum.antichat.xyz/attachments/29111620/1715314249053.png
Ответ: protonmail.ch
6. What is the MD5 hash value of process executable for PID 6988?
Экспорт файла с указанным PID из образа для определения MD5 хеша:
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pslist --pid 6988 --dump
md5sum pid.6988.0x1c0000.dmp
https://forum.antichat.xyz/attachments/29111620/1715315529684.png
Ответ: 0b493d8e26f03ccd2060e0be85f430af
7. What is the word starting at offset 0x45BE876 with a length of 6 bytes?
xxd --seek 0x45BE876 20210430-Win10Home-20H2-64bit-memdump.mem | less
https://forum.antichat.xyz/attachments/29111620/1715314423718.png
Ответ: hacker
8. What is the creation date and time of the parent process of "powershell.exe"? (YYYY-MM-DD HH:MM:SS)
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.pstree
https://forum.antichat.xyz/attachments/29111620/1715314467405.png
Родительский процесс - explorer.exe.
Ответ: 2021-04-30 17:39:48
9. What is the full path and name of the last file opened in notepad?
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.cmdline | grep "notepad"
https://forum.antichat.xyz/attachments/29111620/1715314682491.png
Ответ: C:\Users\JOHNDO~1\AppData\Local\Temp\7zO4FB31F24\a ccountNum
10. How long did the suspect use Brave browser? (hh:mm:ss)
Ключ UserAssist содержит информацию об общем времени в секундах, в течение которого приложение находилось в фокусе.
python3 vol.py -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.registry.userassist | grep "Brave"
https://forum.antichat.xyz/attachments/29111620/1715315115312.png
Ответ: 04:01:54