This will only cover Task 10 – Practical Investigations
Question 1: What is the build version of the host machine in Case 001?
In the above screenshot look at NTBuildLab.
Question 2: At what time was the memory file acquired in Case 001?
Also, in the previous screenshot look at SystemTime.
Answer: 2012-07-22 02:45:08
Question 3: What process can be considered suspicious in Case 001?
Find the last line PID 1640.
Question 4: What is the parent process of the suspicious process in Case 001?
See previous screenshot. It is the executable just above reader_sl.exe
Question 5: What is the PID of the suspicious process in Case 001?
Also in the last screenshot, look under the PID column.
Question 6: What is the parent process PID in Case 001?
Again, same screenshot, look at the PID for explorer.exe
Question 7: What user-agent was employed by the adversary in Case 001?
We are going to use memmap to figure this out:
./vol.py -f /Scenarios/Investigations/Investigation-1.vmem -o /tmp windows.memmap --pid 1640 --dump
This will load pid.1640.dmp in tmp
Now we use string to dig deeper
Answer: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US
Question 8: Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N)
Strings to the recue again…
strings /tmp/pid.1640.dmp | grep "chase"
Question 9: What suspicious process is running at PID 740 in Case 002?
Okay, case 2.
./vol.py -f /Scenarios/Investigations/Investigation-2.raw windows.pstree
Look at PID 740
Question 10: What is the full path of the suspicious binary in PID 740 in Case 002?
Time to break out dlllist and our friend grep
./vol.py -f /Scenarios/Investigations/Investigation-2.raw windows.dlllist | grep 740
The directory is in the second line.
Question 11: What is the parent process of PID 740 in Case 002?
See screenshot above with PIDs listed. You can see that the executable before PID 740 is…
Question 12: What is the suspicious parent process PID connected to the decryptor in Case 002?
This is in the same screenshot. Basically this is asking what the PID for tasksche.exe is…
Question 13: From our current information, what malware is present on the system in Case 002?
This is kinda self-explanatory, so let’s take a wild guess..
Question 14: What DLL is loaded by the decryptor used for socket creation in Case 002?
PID 740 has a lot of DLLs listed. We could try each one in the answer box, but it did say socket in the question. WS stands for WinSock as in Winsock DLLs.
Question 15: What mutex can be found that is a known indicator of the malware in question in Case 002?
We are going to use handles on this one and look for PID 1940
./vol.py -f /Scenarios/Investigations/Investigation-2.raw windows.handles | grep 1940
I could have searched for this one, but it popped out of the screen when looking for mutex…
Question 16: What plugin could be used to identify all files loaded from the malware working directory in Case 002?
Again, we look at the reference and find filescan