# S038 Memory Analysis

There are 2 compressed files we have access to, both containing a wealth of live response data: S038 and S039. This notebook will cover the contents contained within S038.

## Where Things Are Initially

We're in the position of junior incident responders. We have a collection of memory and disk images from a company who thinks they may have been compromised. Our task is to determine:
* Who
* What
* Where
* When
* Why

This is to be done (preferably) by examining the memory images and referencing the disk images when necessary.

Our evidence is spread across 2 folders: `S038` and `S039`.

In [2]:
ls ../

IR_Final
S038
S038.7z
S039
S039.7z


Each folder contains 2 sub folders:
* Memory: A colletion of `.vmem` and `.vmss` files for each system.
* Triage: KAPE triage results.

In [3]:
ls ../S038

Memory
Triage


In [4]:
ls ../S038/Memory

ACC-02-dc8be79d.vmem
ACC-02-dc8be79d.vmss
ACC-02_27_files.zip
ACC-04-0f3b7e88.vmem
ACC-04-0f3b7e88.vmss
ACC-04_18_files.zip
ACC-06-0f3c9744.vmem
ACC-06-0f3c9744.vmss
ACC-06_12_files.zip
SAL-05-1c4475fd.vmem
SAL-05-1c4475fd.vmss
SAL-05_13_files.zip
SAL-09-e9982959.vmem
SAL-09-e9982959.vmss
SAL-09_23_files.zip


In [5]:
ls ../S038/Triage

All Windows.KapeFiles.Targets
HuntDetails
clients
triage.zip


As we aren't given what the initial infected machine may have been, a decent starting might be to examine one of the hosts, looking for anything suspicious. If nothing is found on one host, we can move on to the next. If something suspicious is found, we can look at other hosts to see if the same indicators are present there. As hosts are examined, we can create a list of actionable leads.

Let's start with examining `ACC-02-dc8be78d.vmem` by running the volatility2 command `imageinfo`.

In [7]:
../../volatility_2.6_mac64_standalone/volatility_2.6_mac64_standalone -f ../S038/Memory/ACC-02-dc8be79d.vmem imageinfo

Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : VMWareMetaAddressSpace (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/Users/matthewrobinson/Documents/CYBS514/final_project/S038/Memory/ACC-02-dc8be79d.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002c450a0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002c46d00L
                KPCR for CPU 1 : 0xfffff880009ef000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2021-06-16 13:08:41 UTC+0000
     Image local date and time : 2021-06-16 0

From the results, we can see that the suggest profile is `Win7SP1x64`, indicating the image was taken from a Windows 7 machine. The image creation date and time is `2021-06-16 13:08:41 UTC+0000`.

Let's check what processes were present.

In [8]:
../../volatility_2.6_mac64_standalone/volatility_2.6_mac64_standalone --profile=Win7SP1x64 -f ../S038/Memory/ACC-02-dc8be79d.vmem pslist

Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8003c78b30 System                    4      0     90      521 ------      0 2021-06-15 13:20:03 UTC+0000                                 
0xfffffa80053a0040 smss.exe                276      4      2       30 ------      0 2021-06-15 13:20:03 UTC+0000                                 
0xfffffa8005c164f0 csrss.exe               356    348      9      731      0      0 2021-06-15 13:20:04 UTC+0000                                 
0xfffffa8005e363b0 wininit.exe             408    348      3       77      0      0 2021-06-15 13:20:04 UTC+0000                                 
0xfffffa8005e407f0 csrss.exe               424    400     12      447      1 

0xfffffa8004f9d060 iexplore.exe           5884   5352      0 --------      1      0 2021-06-15 16:48:30 UTC+0000   2021-06-15 17:33:15 UTC+0000  
0xfffffa8004f92b30 HelpPane.exe           1796    648      7      262      1      0 2021-06-15 16:53:51 UTC+0000                                 
0xfffffa8004124930 python.exe             5320   1536      0 --------      0      0 2021-06-15 17:20:18 UTC+0000   2021-06-15 17:20:21 UTC+0000  
0xfffffa800426b1c0 python.exe             5372   1536      0 --------      0      0 2021-06-15 18:20:18 UTC+0000   2021-06-15 18:20:20 UTC+0000  
0xfffffa8004c17060 calc.exe                628   2648      3       75      1      0 2021-06-15 18:54:15 UTC+0000                                 
0xfffffa8004f6fa30 calc.exe               5668   2648      3       75      1      0 2021-06-15 19:15:33 UTC+0000                                 
0xfffffa80046382e0 python.exe             5476   1536      0 --------      0      0 2021-06-15 19:20:18 UTC+0000   2021-06-1