MrRobot

Info

• Category : Digital Forensics
• SHA1SUM : b8dab80336c37688f276bfbfac0ac1681398a30d
• Published : May 18, 2022
• Author : Wyatt Roersma
• Size : 1.1 GB
• Tags : PHISHINGWINDOWSMEMORYRAT

Scenario

An employee reported that his machine started to act strangely after receiving a suspicious email for a security update. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the IR team figure out what happened!

Seized

Info

• Category : Digital Forensics
• SHA1SUM : a2c209bb3c221bc70f3418e079e2a22db3cebc53
• Published : May 28, 2022
• Authors : 2phi and Nofix
• Size : 162 MB
• Tags : LINUX MEMORY CENTOS ROOTKIT

Unzip the challenge (pass: cyberdefenders.org), investigate this case, and answer the provided questions.

Use the latest version of Volatility, place the attached Volatility profile “Centos7.3.10.1062.zip” in the following path volatility/volatility/plugins/overlays/linux.

Scenario

Using Volatility, utilize your memory analysis skills to Investigate the provided Linux memory snapshots and figure out attack details.

TeamSpy

Info

• Category : Digital Forensics
• SHA1SUM : 1bc677daf51be254c8bfb9085f7375bbf1ee8e3b
• Published : June 4, 2022
• Author : Wyatt Roersma
• Size : 1.4G
• Tags : GrrCon Memory WIndows TeamViewer

Uncompress the challenge (pass: cyberdefenders.org)

Scenario

An employee reported that his machine started to act strangely after receiving a suspicious email with a document file. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the IR team figure out what happened!

Ulysses

Info

• Category : Digital Forensics
• SHA1SUM : b53238c60a72d6056dacff51ab041c9688553d07
• Published : Oct. 19, 2020
• Author : The Honeynet Project
• Size : 429M
• Tags : Volatility Linux Memory Disk

Scenario

A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.

Tools

• Volatility
• 010 Editor
• Autopsy

Questions

vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.6.1

LinuxDebian5_26x86    - A Profile for Linux Debian5_26 x86
LinuxAMD64PagedMemory          - Linux-specific AMD 64-bit address space.
linux_aslr_shift            - Automatically detect the Linux ASLR shift
linux_banner                - Prints the Linux banner information
linux_yarascan              - A shell in the Linux memory image
linuxgetprofile             - Scan to try to determine the Linux profile

1 - The attacker was performing a Brute Force attack. What account triggered the alert ?

We can look with volatility at the services likely to be brute-forced.

WireDive

Info

• Category : Digital Forensics
• SHA1SUM : a2aa9ad4831057e17df585bdac84efc05ec0413d
• Published : Oct. 7, 2020
• Authors : Johannes Weber and Champlain College
• Size : 26M
• Tags : Wireshark PCAP SMB Network

Uncompress the challenge (pass: cyberdefenders.org)

Scenario

WireDive is a combo traffic analysis exercise that contains various traces to help you understand how different protocols look on the wire. Challenge Files :

• dhcp.pcapng
• dns.pcapng
• https.pcapng
• network.pcapng
• secret_sauce.txt
• shell.pcapng
• smb.pcapng

Tools

• BrimSecurity
• WireShark

Questions

1 - File: dhcp.pcapng - What IP address is requested by the client ?

search: dhcp

Catégorie : Forensics

Difficulté : ⭐

À l’ancienne

Ennoncé

Vous devez récupérer et analyser les données échangées dans cette capture. On préfère prévenir, avant de paniquer, il va falloir se décontracter et décompresser pour faire ça tranquillement.

SHA256(cap) = 27117fc9487e8ca1a54f7d6a55f39b3223153451a8df41bb02488c2a99dbf059.

Solve

└─$ file cap            
cap: Sniffer capture file - version 4.0 (Ethernet)

We open the file with wireshark, we quickly browse the file.