# S038 Memory Analysis

There are 2 compressed files we have access to, both containing a wealth of live response data: S038 and S039. This notebook will cover the contents contained within S038.

## Where Things Are Initially

We're in the position of junior incident responders. We have a collection of memory and disk images from a company who thinks they may have been compromised. Our task is to determine:
* Who
* What
* Where
* When
* Why

This is to be done (preferably) by examining the memory images and referencing the disk images when necessary.

Our evidence is spread across 2 folders: `S038` and `S039`.

In [2]:
ls ../

IR_Final
S038
S038.7z
S039
S039.7z


Each folder contains 2 sub folders:
* Memory: A colletion of `.vmem` and `.vmss` files for each system.
* Triage: KAPE triage results.

In [3]:
ls ../S038

Memory
Triage


In [4]:
ls ../S038/Memory

ACC-02-dc8be79d.vmem
ACC-02-dc8be79d.vmss
ACC-02_27_files.zip
ACC-04-0f3b7e88.vmem
ACC-04-0f3b7e88.vmss
ACC-04_18_files.zip
ACC-06-0f3c9744.vmem
ACC-06-0f3c9744.vmss
ACC-06_12_files.zip
SAL-05-1c4475fd.vmem
SAL-05-1c4475fd.vmss
SAL-05_13_files.zip
SAL-09-e9982959.vmem
SAL-09-e9982959.vmss
SAL-09_23_files.zip


In [5]:
ls ../S038/Triage

All Windows.KapeFiles.Targets
HuntDetails
clients
triage.zip


As we aren't given what the initial infected machine may have been, a decent starting might be to examine one of the hosts, looking for anything suspicious. If nothing is found on one host, we can move on to the next. If something suspicious is found, we can look at other hosts to see if the same indicators are present there. As hosts are examined, we can create a list of actionable leads.

Let's start with examining `ACC-02-dc8be78d.vmem` by running the volatility2 command `imageinfo`.

In [7]:
../../volatility_2.6_mac64_standalone/volatility_2.6_mac64_standalone -f ../S038/Memory/ACC-02-dc8be79d.vmem imageinfo

Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : VMWareMetaAddressSpace (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/Users/matthewrobinson/Documents/CYBS514/final_project/S038/Memory/ACC-02-dc8be79d.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002c450a0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002c46d00L
                KPCR for CPU 1 : 0xfffff880009ef000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2021-06-16 13:08:41 UTC+0000
     Image local date and time : 2021-06-16 0

From the results, we can see that the suggest profile is `Win7SP1x64`, indicating the image was taken from a Windows 7 machine. The image creation date and time is `2021-06-16 13:08:41 UTC+0000`.

Let's check what processes were present.

In [8]:
../../volatility_2.6_mac64_standalone/volatility_2.6_mac64_standalone --profile=Win7SP1x64 -f ../S038/Memory/ACC-02-dc8be79d.vmem pslist

Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8003c78b30 System                    4      0     90      521 ------      0 2021-06-15 13:20:03 UTC+0000                                 
0xfffffa80053a0040 smss.exe                276      4      2       30 ------      0 2021-06-15 13:20:03 UTC+0000                                 
0xfffffa8005c164f0 csrss.exe               356    348      9      731      0      0 2021-06-15 13:20:04 UTC+0000                                 
0xfffffa8005e363b0 wininit.exe             408    348      3       77      0      0 2021-06-15 13:20:04 UTC+0000                                 
0xfffffa8005e407f0 csrss.exe               424    400     12      447      1 

0xfffffa8004f9d060 iexplore.exe           5884   5352      0 --------      1      0 2021-06-15 16:48:30 UTC+0000   2021-06-15 17:33:15 UTC+0000  
0xfffffa8004f92b30 HelpPane.exe           1796    648      7      262      1      0 2021-06-15 16:53:51 UTC+0000                                 
0xfffffa8004124930 python.exe             5320   1536      0 --------      0      0 2021-06-15 17:20:18 UTC+0000   2021-06-15 17:20:21 UTC+0000  
0xfffffa800426b1c0 python.exe             5372   1536      0 --------      0      0 2021-06-15 18:20:18 UTC+0000   2021-06-15 18:20:20 UTC+0000  
0xfffffa8004c17060 calc.exe                628   2648      3       75      1      0 2021-06-15 18:54:15 UTC+0000                                 
0xfffffa8004f6fa30 calc.exe               5668   2648      3       75      1      0 2021-06-15 19:15:33 UTC+0000                                 
0xfffffa80046382e0 python.exe             5476   1536      0 --------      0      0 2021-06-15 19:20:18 UTC+0000   2021-06-1

In [1]:
../../volatility_2.6_mac64_standalone/volatility_2.6_mac64_standalone --profile=Win7SP1x64 -f ../S038/Memory/ACC-02-dc8be79d.vmem pstree

Volatility Foundation Volatility Framework 2.6
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0xfffffa8005c164f0:csrss.exe                         356    348      9    731 2021-06-15 13:20:04 UTC+0000
. 0xfffffa80062d0730:conhost.exe                     1544    356      2     35 2021-06-15 13:20:05 UTC+0000
. 0xfffffa80063682f0:conhost.exe                     2556    356      2     32 2021-06-15 13:20:12 UTC+0000
 0xfffffa8005e363b0:wininit.exe                       408    348      3     77 2021-06-15 13:20:04 UTC+0000
. 0xfffffa8005ee0730:lsass.exe                        528    408      8    818 2021-06-15 13:20:04 UTC+0000
. 0xfffffa8005ebd950:lsm.exe                          536    408     10    200 2021-06-15 13:20:04 UTC+0000
. 0xfffffa8006190630:services.exe                     496    408      6    255 2021-06-15 13:20:04 UTC+0000
.. 0xfffffa80051b2610:winlogb

. 0xfffffa8003f5fb30:conhost.exe                     4696    424      2     51 2021-06-15 21:08:49 UTC+0000
. 0xfffffa8004f8b060:conhost.exe                     1692    424      2     51 2021-06-15 21:08:49 UTC+0000
 0xfffffa800617f060:winlogon.exe                      476    400      3    124 2021-06-15 13:20:04 UTC+0000
 0xfffffa80061c42f0:explorer.exe                     2648   1956     25    989 2021-06-15 13:20:18 UTC+0000
. 0xfffffa8004f6fa30:calc.exe                        5668   2648      3     75 2021-06-15 19:15:33 UTC+0000
. 0xfffffa8004b85b30:POWERPNT.EXE                    3088   2648     10    526 2021-06-15 21:08:28 UTC+0000
.. 0xfffffa80050dcb30:splwow64.exe                   4752   3088      7     78 2021-06-15 21:08:28 UTC+0000
. 0xfffffa80068b2060:calc.exe                        1608   2648      3     75 2021-06-15 20:47:58 UTC+0000
. 0xfffffa8004c17060:calc.exe                         628   2648      3     75 2021-06-15 18:54:15 UTC+0000
. 0xfffffa80066cea00:user.ex

Many of these processes look normal, but quite a few seem eye catching. First off, the amount of python processes running on this host seems odd. Let's choose one of these processes and dump its handles to see if we can find anything odd.

In [4]:
../../volatility_2.6_mac64_standalone/volatility_2.6_mac64_standalone --profile=Win7SP1x64 -f ../S038/Memory/ACC-02-dc8be79d.vmem handles -p 3944

Volatility Foundation Volatility Framework 2.6
Offset(V)             Pid             Handle             Access Type             Details
------------------ ------ ------------------ ------------------ ---------------- -------


No handles, that's interesting. In fact, running the same command on any of the nested Python process (depth 3) doesn't yield any handles. Let's try again on the parent Python process.

In [5]:
../../volatility_2.6_mac64_standalone/volatility_2.6_mac64_standalone --profile=Win7SP1x64 -f ../S038/Memory/ACC-02-dc8be79d.vmem handles -p 1536

Volatility Foundation Volatility Framework 2.6
Offset(V)             Pid             Handle             Access Type             Details
------------------ ------ ------------------ ------------------ ---------------- -------
0xfffff8a001679b60   1536                0x4                0x9 Key              MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS
0xfffff8a000ae1400   1536                0x8                0x3 Directory        KnownDlls
0xfffffa80066e1370   1536                0xc           0x100020 File             \Device\HarddiskVolume1\salt\bin
0xfffffa80066f63d0   1536               0x10           0x1f0003 Event            
0xfffffa80062c05a0   1536               0x14           0x100020 File             \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251
0xfffffa800601b070   1536               0x18           0x1f0001 ALPC Port        
0xfffffa800637ea70   1536               0x1c

0xfffffa80062dbfe0   1536              0x160           0x1f0003 Event            
0xfffffa80062dbf60   1536              0x164           0x1f0003 Event            
0xfffffa80062dbee0   1536              0x168           0x1f0003 Event            
0xfffffa80062dbe60   1536              0x16c           0x1f0003 Event            
0xfffffa80062dbde0   1536              0x170           0x1f0003 Event            
0xfffffa80062dbd60   1536              0x174           0x1f0003 Event            
0xfffffa80062dbce0   1536              0x178           0x1f0003 Event            
0xfffffa80061e9760   1536              0x17c           0x1f0003 Event            
0xfffffa80063801b0   1536              0x180           0x1f0003 Event            
0xfffffa8006742c70   1536              0x184           0x100001 File             \Device\KsecDD
0xfffffa80067b06f0   1536              0x188           0x1f0003 Event            
0xfffffa8005e9f5f0   1536              0x18c           0x1f0003 Event            
0x

0xfffffa80048d1800   1536              0x2dc           0x1fffff Process          python.exe(3644)
0xfffffa8006910450   1536              0x2e0           0x100003 Event            
0xfffffa8006912cc0   1536              0x2e4           0x120089 File             \Device\HarddiskVolume1\Windows\System32\wbem\wbemdisp.tlb
0xfffff8a001bf4ba0   1536              0x2e8            0xf0005 Section          
0xfffffa80060ae060   1536              0x2ec           0x1fffff Process          python.exe(4024)
0xfffffa8004c4f400   1536              0x2f4           0x1fffff Process          python.exe(860)
0xfffffa8003f60590   1536              0x2f8           0x1fffff Process          python.exe(1600)
0xfffffa800672ad00   1536              0x2fc           0x1f0003 Event            
0xfffff8a00031cca0   1536              0x300            0x20019 Key              MACHINE\SYSTEM\CONTROLSET001\SERVICES\CRYPT32
0xfffffa80053bacc0   1536              0x304              0x804 EtwRegistration  
0xfffffa800692

0xfffffa8004f36b30   1536              0x458           0x1fffff Process          python.exe(2828)
0xfffffa8006f010f0   1536              0x45c           0x120089 File             \Device\HarddiskVolume1\Windows\System32\stdole2.tlb
0xfffff8a000fb5630   1536              0x460            0xf0005 Section          
0xfffffa800425c980   1536              0x464           0x1fffff Process          python.exe(4456)
0xfffffa8006aaeb50   1536              0x468           0x1f0003 Event            
0xfffffa8006e908f0   1536              0x46c           0x1fffff Thread           TID 1536 PID 115936408
0xfffffa8003e26690   1536              0x470           0x1fffff Thread           TID 1536 PID 65169976
0xfffffa8006e5ff20   1536              0x474           0x16019f File             \Device\Afd\Endpoint
0xfffffa8006e2add0   1536              0x478           0x16019f File             \Device\Afd\Endpoint
0xfffffa8006d60980   1536              0x47c           0x16019f File             \Device\Afd\En

Nothing out of the ordinary yet, let's move on to another process for now.