Congratulations Berthier, thanks to your help the computer has been identified. You have requested a memory dump but before starting your analysis you wanted to take a look at the antivirus’ logs. Unfortunately, you forgot to write down the workstation’s hostname. But since you have its memory dump you should be able to get it back!
The validation flag is the workstation’s hostname.
The uncompressed memory dump md5 hash is e3a902d4d44e0f7bd9cb29865e0a15de
So, we need to Find workstations hostname from memory dump
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3/
python3 vol.py -hAfter installing this requirement, you need to extract your evidence file and run this command.
python3 vol.py -f ch2.dmp windows.info.Info
The Windows Registry is a database where Windows stores important settings for both the system and applications.
A “registry hive” is a group of keys, subkeys, and values organized in this database.
When we need to find the name of the workstation, we can look in these registry keys to find the information.
python3 vol.py -f ch2.dmp windows.registry.hivelist.HiveList
So, we can see /Registry/Machine/System so for this to work we need to print specific key, which is a path inside of this folder, so we are gonna use the plugin windows.registry.printkey.PrintKey, so we need to search for the key path that contain the computer name in google, so i found that its ‘ControlSet001\Control\ComputerName\ComputerName’
so, as we have the offset and the key path, we can use the plugin to get the computer name!
python3 vol.py -f ch2.dmp windows.registry.printkey.PrintKey –offset 0x8b21c008 –key ‘ControlSet001\Control\ComputerName\ComputerName’
Flag – WIN-ETSA91RKCFP
Want to become a cybersecurity expert? Join A7 Security Hunters and start your journey to mastering cybersecurity!
