Memory Dump

Inspired by the CQURE 5 day challenge I’ve decided to document some of the things that I’ve learned from the daily assesments. 🙂

Table of Content

The last part of the 5 day Challenge was a quick introduction about forensics how you can create a complete memory dump of a windows system or create a minidump of a particular process. I’ve decided to extend this article a little bit with further study of that Blog article from Paula.

Let us imagine that we have to deal with a compromised windows system and for evidence reasons we want to save a whole memory dump of the operating system. There are different tools to do that, but let’s first have a closer look on a tool called Dumpit.exe from Matthieu Suiche.  It’s a simple and portable tool which allow us exactly to do that. The only thing you have to check is the destination path where you want to dump file get stored.

The next thing we want to cover before we go into analysis is how to create a dump of a certain process. There is a tool called procdump from sysinternals which we can do that. It’s also included in process Explorer and alternatively we can use ProcessHacker.

Right Click on lsass.exe –> Create dump –>  Create full dump –> save

After doing that we want to check if we can grab out some sensitive logon informations with mimikatz.

mimikatz # sekurlsa::minidump C:\dmp\lsass.dmp

mimikatz # sekurlsa::logonPasswords

I won’t go deeper at this point, but slightly cover a toolkit called volatility framework which is a set of python scripts to do further memory analysis.

Some examples:

Get the output of what someone typed in the cmd

vol.py -f "Path of dump file" --profile=Win7SP1x64 consoles 

Showes what someone typed in the cmd

vol.py -f  "Path of dump file" --profile=Win7SP1x64 cmdscan

Get a list of processes that were running on that system

vol.py -f  "Path of dump file" --profile=Win7SP1x64 pslist

Get a list of processes (including hidden ones) that were running on that system

vol.py -f  "Path of dump file" --profile=Win7SP1x64 psscan

The challenge itself was a set of instructions. Import a certificate with a private key marked as not exportable. Then run a modified powershell script called invoke-mimikatz.ps1 to extract the certificate out of the memory. For some reasons the script for the extraction didn’t work for me, but during this challenges I’ve learned a lot in ashort time and I think I’m addicted now to learn more! 🙂

Some repeating questions:

Which process in the OS can contain data about active users?
lsass.exe

How can you create a process dump with tools built-in into Windows OS?
With task manager

Which utility allows you to discover passwords from lsass.exe?
Mimikatz

Which file does not conatain sensitive information about passwords?
Taskmg.exe dump

Is it possible to create lsass.exe dump on the remote machine?
Yes with some form of remote tools like psexec etc.

Further informations about forensic tools:

http://forensicswiki.org/wiki/Main_Page

Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.


*