Brave Blue Team Challenge Write-Up
Category : Endpoint Forensics
LEVEL : Medium
Challenge Download Link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/67
Instructions:
- Unzip the challenge (pass: cyberdefenders.org)
Scenario
A memory image was taken from a seized Windows machine. As a security blue team analyst, analyze the image and answer the provided questions.
Tools:
Q1-What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)
- Use windows.info.Info (volatility3) plugin to get the basic information about a memory dump :
└─$ ./vol.py -f /Path/To/20210430-Win10Home-20H2-64bit-memdump.mem windows.info.Info
THE Answer : 2021-04-30 17:52:19Q2-What is the SHA256 hash value of the RAM image?
- Easy, Just use sha256sum commend :
└─$ sha256sum 20210430-Win10Home-20H2-64bit-memdump.mem
THE Answer : 9db01b1e7b19a3b2113bfb65e860fffd7a1630bdf2b18613d206ebf2aa0ea172Q3-What is the process ID of “brave.exe”?
- Use windows.pslist.PsList plugin to list all the processes :
└─$ ./vol.py -f /PATH/To/20210430-Win10Home-20H2-64bit-memdump.mem windows.pslist.PsList 
THE Answer : 4856Q4-How many established network connections were there at the time of acquisition? (number)
- Use windows.netscan.NetScan plugin to see network connection and grep with “established” :
└─$ ./vol.py -f ~/Desktop/20210430-Win10Home-20H2-64bit-memdump.mem windows.netscan.NetScan | grep -i "established"
THE Answer : 10Q5-What FQDN does Chrome have an established network connection with?
- From the question above we find that , there is 10 established connections and one these connection is established with chrome.exe so we can do a reverse lookup to the destination IP -add :
THE Answer : protonmail.chQ6-What is the MD5 hash value of process executable for PID 6988?
- First we need to dump this process , so i used windows.pslist.PsList plugin to dump it :
└─$ ./vol.py -f ~/Desktop/20210430-Win10Home-20H2-64bit-memdump.mem windows.pslist.PsList --pid 6988 --dump
THE Answer : 0b493d8e26f03ccd2060e0be85f430afQ7-What is the word starting at offset 0x45BE876 with a length of 6 bytes?
- Use any hex editor to open the memory dump , so i use xxd editor :
└─$ xxd -s 0x45BE876 20210430-Win10Home-20H2-64bit-memdump.mem | less
THE Answer : hacker Q8-What is the creation date and time of the parent process of “powershell.exe”? (YYYY-MM-DD HH:MM:SS)
- use windows.pstree.PsTree plugin and grep with “powershell.exe” :
└─$ ./vol.py -f ~/Desktop/20210430-Win10Home-20H2-64bit-memdump.mem windows.pstree.PsTree | grep powershell.exe -C 3
THE Answer : 2021-04-30 17:39:48Q9-What is the full path and name of the last file opened in notepad?
- First we need to dump notepad process using windows.memmap.Memmap plugin :
└─$ ./vol.py -f ~/Desktop/20210430-Win10Home-20H2-64bit-memdump.mem windows.memmap.Memmap --pid 2520 --dump- Now use strings commend and grep with “notepad.exe” :
- OR we can use windows.cmdline.CmdLine plugin and grep with “notepad” :
THE Answer : C:\Users\JOHNDO~1\AppData\Local\Temp\7zO4FB31F24\accountNumQ10-How long did the suspect use Brave browser? (hh:mm:ss)
- Use the “windows.registry.userassist” plugin to list userassist keys , The userassist plugin parses the ntuser.dat hive, which will provide the actual time the Brave user was used :
└─$ ./vol.py -f ~/Desktop/20210430-Win10Home-20H2-64bit-memdump.mem windows.registry.userassist | grep -i Brave
THE Answer : 04:01:54THE END
BY :Ahmed Nasser
