Concept: Memory Forensic with the vmss file.

Purpose: Are you used to using volatility command?

Scenario

An employee reported that his machine started to act strangely after receiving a suspicious email for a security update. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the IR team figure out what happened!

[1]

Question:

What email address tricked the front desk employee into installing a security update?

volatility

• python2 vol.py -f ../cyberdefenders.org/c69-Grrcon2015/target1/Target1-1dd8701f.vmss pslist

List of applications related to Security Update

0x85cd3d40 OUTLOOK.EXE 3196 2116 22 1678 1 0 2015-10-09 11:31:32 UTC+0000

• python2 vol.py -f ../cyberdefenders.org/c69-Grrcon2015/target1/Target1-1dd8701f.vmss --profile=Win7SP0x86 memdump -p 3196 -D ./

• strings 3196.dmp >> plaintext.3916