I remember thinking last week that they hit a lot of the common memory analysis tasks with Volatility so I was thinking “I hope they give us a challenge on the next one”.
Question 1
The questions started off rather easy, asking about a connection to a Google server. I immediately figured this was going to be the netscan plugin in Volatility:
volatility -f memdump.mem --profile Win7SP1x64 netscan | grep ESTABLISHED
OK, so there are 4 possible answers, so I simply went through each one and did an IP address lookup:
I made sure to check the others out as well, but this was the only Google owned one.
Answer: 172.253.63.188:443
Question 2
Well, this was rather easy as the question simply asked for the associated local address and port. From the above screen shot you can very easily see that the answer is: 192.168.10.146:54282
Question 3
Question: What was the URL?
Well, this one was turning up the heat a bit. I didn’t know of any “stock” plugins that came with Volatility so I did a quick yarascan for “https” and got too many results. A quick Google landed me on this page: https://blog.superponible.com/2014/08/31/volatility-plugin-chrome-history/
This was both a blessing and a curse (see Question 5). But I was pleased at how easy it was to just download the plugin and have Volatility recognize it. Running the chromehistory plugin and grepping for the date of the memory dump yielded the following:
When I got this list I tried to narrow it down based on timestamp, but then I realized there were several that weren’t close enough to the memory dump timestamp and only had a visit count of 1. Using this, I was able to widdle down the options to one URL, which was the answer:
Answer: https://www.google.com/
Question 4
This question asked who was the user responsible for that connection. Based on the Chrome history, it seemed obvious that the Warren user was all over the place so I figured that must be user. I saw no indication of other users, and evidently that was the answer. I’m curious if there’s a more accurate way of determining the answer, but “Warren” was the correct answer.
Question 5
Question: How long was this user looking at this browser with this version of Chrome? *format: X:XX:XX.XXXXX * Hint: down to the last secon
Fueled by my earlier success on Question 4, I figured I might be able to knock this one out pretty quick. Boy was I wrong.
I could just get to the solution and make it look like I got it quickly like this ctrlShiftEscape person:
But let me take you on a little trip down the rabbit hole I was in.
The format and wording of the question led me down a path which I never fully recovered from. The chromevisits plugin from the earlier blog returned timestamps in a format that made me think it was the correct plugin for this question. Using this plugin and several others, I generated the following list of events and timestamps:
Computer shutdown: 2020-04-20 20:19:33 UTC+0000
Earliest chromevisit entry: 2020-04-20 20:23:55.902263
Earliest chromehistory: 2020-04-20 20:23:56.264731
Chrome Prefetch time: 2020-04-20 20:25:49 UTC+0000
Pslist chrome.exe timestamp: 2020-04-20 23:17:07 UTC+0000
Last updated registry key: 2020-04-20 23:17:13 UTC+0000
Latest visit/history timestamp: 2020-04-20 23:17:33.124246
Memory Acquisition: 2020-04-20 23:23:26.000000From this, I assumed I could calculate the time spent in Chrome as accurately as possible. My first guess was to use the prefetch timestamp and the memory acquisition timestamps which yielded: 2:59:30.097737
Only one digit too many, but I thought the hint about “down to the last second” was a clue about rounding down. Nope.
Then I went deeper into the rabbit hole.
I tried every single combination that made sense and got the following:
2:59:30.09773 ---nope
2:53:36.859515 -- nope
2:59:29.735269 -- nope
2:53:37.221983 -- nope
2:57:37.0000 -- nopeI knew I had to be close as I kept coming up with similar answers, something just shy of 3 hours.
Finally I asked in the Discord if it was even possible in Volatility as Jessica Hyde had claimed that in AXIOM it was “just there”.
With it confirmed that Volatility could be used solely to answer it, and armed with the knowledge that the wording was confusing (there was a decent discussion about it in the Discord), and that some folks had solved it rather quickly. I knew I must have been barking up the wrong tree. I took a step back and just started going through plugins one by one and doing some Googling I ran into this blog: https://www.andreafortuna.org/2017/07/31/volatility-my-own-cheatsheet-part-6-windows-registry/
Then I saw it.
Userassist. The only plugin related to program execution that I had overlooked. And when I saw the output I knew I had wasted several hours trying to find the right combination of timestamps. Ugh.
So here you have it:
volatility -f memdump.mem --profile Win7SP1x64 userassistAll that time. And it came down to one line. A little grep for Chrome and Voila!
I had no idea the userassist key contained the “Time Focused” metric, which was really neat to learn. But boy was I annoyed that this whole time it had been right in front of me.
Answer: 3:36:47.30100
