Challenge 10 Part 1 – 15pts
At the time of the RAM collection there was an established connection to a Google Server. What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”
Looking at the reference page for commands, the main command useful for Windows 7 profiles is netscan
. This command “finds TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. It distinguishes between IPv4 and IPv6, prints the local and remote IP (if applicable), the local and remote port (if applicable), the time when the socket was bound or when the connection was established, and the current state (for TCP connections only).” Using grep, we can parse the output for only connections with the ESTABLISHED
flag.
1
2
3
4
5
6
> volatility -f memdump.mem --profile=Win7SP0x64 netscan | grep ESTABLISHED
Volatility Foundation Volatility Framework 2.6
0x13d48f540 TCPv4 192.168.10.146:54279 151.101.116.106:443 ESTABLISHED -1
0x13ec87cd0 TCPv4 192.168.10.146:54282 172.253.63.188:443 ESTABLISHED -1
0x13ece73b0 TCPv4 192.168.10.146:54281 13.35.82.31:443 ESTABLISHED -1
0x13ecf8010 TCPv4 192.168.10.146:54280 13.35.82.102:443 ESTABLISHED -1
Then the Linux whois
command can be used to check who owns the addresses returned. In this case, the second address is owned by Google.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
> whois 172.253.63.188
NetRange: 172.253.0.0 - 172.253.255.255
CIDR: 172.253.0.0/16
NetName: GOOGLE
NetHandle: NET-172-253-0-0-1
Parent: NET172 (NET-172-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS15169
Organization: Google LLC (GOGL)
RegDate: 2013-04-04
Updated: 2013-04-04
Ref: https://rdap.arin.net/registry/ip/172.253.0.0
OrgName: Google LLC
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2019-10-31
Comment: Please note that the recommended way to file abuse complaints are located in the following links.
Comment:
Comment: To report abuse and illegal activity: https://www.google.com/contact/
Comment:
Comment: For legal requests: http://support.google.com/legal
Comment:
Comment: Regards,
Comment: The Google Team
Ref: https://rdap.arin.net/registry/entity/GOGL
The correct answer to this challenge is 172.253.63.188:443
.
Challenge 10 Part 2 – 15pts
What was the Local IP address and port number? same format as part 1.
The answer to this challenge is also shown above on the same line as the last answer in the netscan
output. The answer is 192.168.10.146:54282
.
Challenge 10 Part 3 – 10pts
What was the URL?
Hm. Before trying to extract any Chrome history files from the memory dump, I searched to see if there were any plugins that could automatically recover the history. We know Chrome was open when the image was created and we need the URL closest to that time. This GitHub repo includes a plugin called chromehistroy
that attempts to recover URLs, titles, times, and other information. Using the imageinfo
, we know the date the image was processed (2020-04-20 23:23:26). We can grep for that day making sure to use -a
to parse binary data as text due to the output formatting.
1
2
3
4
5
6
7
8
9
10
11
12
13
> volatility --plugins=volatility-plugins -f memdump.mem --profile=Win7SP1x64 chromehistory | grep -a '2020-04-20'
Volatility Foundation Volatility Framework 2.6
316 https://myaccount.google.com/accounts/S...7Tvn4UuSh52LjamQbhxd1cs3HXAE8kXh9vRFAg Google Account 1 0 2020-04-20 20:24:47.494432 N/A
314 https://accounts.google.com/AccountChoo...%3Futm_source%3Dchrome-profile-chooser Google Account 1 0 2020-04-20 20:24:47.494432 N/A
317 https://myaccount.google.com/?utm_source=chrome-profile-chooser&pli=1 Google Account 3 0 2020-04-20 23:17:31.577179 N/A
310 https://accounts.google.com/CheckCookie...Y0Nw58kMWKsff7unbUvALH2XEg&gidl=EgIIAA Google 1 0 2020-04-20 20:24:38.839800 N/A
315 https://accounts.google.com/ServiceLogi...oser&sacu=1&passive=1209600&authuser=0 Google Account 1 0 2020-04-20 20:24:47.494432 N/A
313 https://www.google.com/ Google 3 0 2020-04-20 23:17:33.124246 N/A
312 https://accounts.google.com/signin/chro...KkPjA8gTgn_TY0Nw58kMWKsff7unbUvALH2XEg Google 1 0 2020-04-20 20:24:38.839800 N/A
311 https://accounts.youtube.com/accounts/S...gTgn_TY0Nw58kMWKsff7unbUvALH2XEg&tcc=1 Google 1 0 2020-04-20 20:24:38.839800 N/A
309 https://accounts.google.com/signin/v2/c...AnlkPinzwtk7y95PtmKf6zRC-RpnA60VS1IJLP Sign in - Google Accounts 1 0 2020-04-20 20:23:58.462223 N/A
308 https://accounts.google.com/signin/chro....com%2F&flowName=GlifDesktopChromeSync Sign in - Google Accounts 1 0 2020-04-20 20:23:56.325236 N/A
307 https://accounts.google.com/signin/chro...ntinue=https%3A%2F%2Fwww.google.com%2F Sign in - Google Accounts 2 0 2020-04-20 20:23:56.264731 N/A
The URL that was visited closest to that time is https://www.google.com/
and is the solution to this challenge.
Challenge 10 Part 4 – 5pts
What user was responsible for this activity based on the profile?
Throughout the history and rest of the image, multiple references are made to the user Warren
. And I believe a question last week asked a similar question.
Challenge 10 Part 5 – 10pts
How long was this user looking at this browser with this version of Chrome? Format: X:XX:XX.XXXXX
Hm. Again, checking the reference page, a section titled userassist can be found. Looking at the example output, this command can show the length of time a window was in focus. Running the plugin and a grep for Chrome shows us the answer. Kinda.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
volatility -f memdump.mem --profile=Win7SP0x64 userassist | grep 'Chrome' -B 5 -A 5Volatility Foundation Volatility Framework 2.6
0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
0x00000040 00 00 00 00 00 00 00 00 ........
REG_BINARY Chrome :
Count: 9
Focus Count: 106
Time Focused: 3:36:47.301000
Last updated: 2020-04-20 23:17:07 UTC+0000
Raw Data:
--
0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 70 b3 dc 43 ............p..C
0x00000040 6f e3 d5 01 00 00 00 00 o.......
Entering 3:36:47.301000
as the solution returns that it is incorrect. However, looking closely at the format required by the solution reveals that the answer requires only 5 decimal places in the seconds, whereas the userassist
command retruns six places. Sneaky Magnet, sneaky….
The correct solution is 3:36:47.30100
.