From Evidence to Answers: Navigating Forensic CTF Challenges with Skill — Part I

Let’s have a blast of some forensics challenges.

Recently, I developed challenges for forensics category. The core purpose for creating these challenges was to enlighten the participants with Windows Artifact and Linux Memory Dump Forensics.

This is the Part I, which will be containing Linux Memory Dump Forensics.

Part II, will be added soon ! !

The Linux Profile!

Challenge Description: One of our Ubuntu servers are compromised. We were lucky enough to create memory dump out of it. Our forensics experts need your help to analyze this Linux memory dump and find out the message attacker (flag.txt) left on device.

© iStock.com / Serhii Opikanets

Download the Memory Dump

Google Drive - Virus scan warning

Explanation

As we can see from the title “Linux”, the memory dump is certainly for some Linux distro. But how to extract the message out of this Linux Mem Dump ? , No worries we can use Volatility2 a volatile framework used to extract digital artifacts from volatile memory. Once we get to know how to analyze the dump, the challenge becomes very easy to crash.

As we already know, we need volatility2 to analyze the Linux memory dump. But it is not easy as windows memory dump forensics. After some Google Fu, we figured out that for Linux Memory forensics, we need to setup a profile in volatility, just like there are profiles set in by default for windows.

Read More here at: https://kevintk1.medium.com/htb-business-ctf-2021-forensic-compromised-1aa265b843a6

But why do we need to do that ? , It is because the Linux has multiple distros and it is not possible to create profile by default for thousands of kernel version. Although, some profiles can be found here https://github.com/volatilityfoundation/profiles/tree/master/Linux/Ubuntu/x64

Analyzing

Let’s Begin !

To setup the Volatility, follow these steps:

1. git clone <https://github.com/volatilityfoundation/volatility.git>
2. Download memory dump from above link
3. Find out the kernel version from the dump.
4. Browse to the Linux profile link above and download the respective profile.
5. Copy the profile inside volatility directory volatility/volatility/plugins/overlays/linux
6. Once the profile is copied to the above path, run volatility to verify the profile exists.

As we know, the kernel is loaded from the boot sector, so we can grep the boot sector to find out kernel version.

Finding out the Kernel Version

The Kernel Version is 4.18.0–25.

Download the Ubuntu Profile from GitHub

The Needed Profile

Let’s Verify, the profile we just added.

Now, we have to explore available plugins in volatility2 for Linux. Give a read to volatility2 documentation, there are some important plugins such as linux_banner, linux_bash, linux_pslist and many through which we can analyze the dump.

Let’s start with linux banner to verify the profile matches with our memory dump kernel. Its easy to grep or read through file, so we will be appending the result to file linux_banner.txt.

Verified from the above command.

Let’s read the description once again, it says we have to findout the message attacker left. One of the very good plugin can be linux_bash, through this we can check each command executed from the bash terminal.

Let’s skim through the history

Nothing much, it says random script, maybe rabbit hole. Let’s try decrypting aHR0cHM6Ly9wYXN0ZWJpbi5jb20vZEZlTHJxcUw=

A Paste bin link

Another decoded string

Decrypt again SGVoZWhlaCBObyBGbGFnIEhlcmUgLSBSYWJiaXRob2xlIF5fXg==

RickRoll

On skimming history further, I found the echo command.

YAY! FLAG FOUND

Finally, we got the flag DevFlag{LinUx_M3M_F0r3nsics}.

One effective way is to grep the file name from the bash history , as it is mentioned in the description.

Takeaways

Learnt about grepping the information,

Learnt about Linux Profiles used in Volatility2,

Learnt about how to analyze Linux Memory Dump.