2024 Cyber Apocalypse: Oblique Final

Challenge Information

Summary

Oblique Final is an advanced memory forensics challenge utilizing Volatility 3 to analyze a memory dump. The investigation requires identifying running processes, analyzing network connections, extracting files from memory, examining process memory for sensitive data, and reconstructing the attack narrative from RAM artifacts.

Analysis

Memory Dump Characteristics

The challenge provides a memory dump file that can be analyzed with Volatility 3, a powerful memory forensics framework. Key analysis areas:

1. Process Analysis: Identify suspicious processes
2. Network Connections: Find C2 communications
3. File Extraction: Recover executables from memory
4. Memory Scanning: Search for strings and patterns
5. Registry Analysis: Extract system configuration
6. Command History: Retrieve executed commands

Volatility 3 Plugins

Essential plugins for analysis:

• windows.pslist - List processes
• windows.netstat - Network connections
• windows.cmdline - Process command lines
• windows.envars - Environment variables
• windows.dumpfiles - Extract files from memory
• windows.registry - Parse registry hives
• windows.filescan - Find file objects in memory

Solution

Step 1: Profile Identification

Volatility requires knowing the OS version:

volatility3 -f memory.dump windows.info

# Output will show:
# OS: Windows 10 Build 19041
# Kernel ASLR: Present
# KASLR: Enabled

Step 2: List Processes

volatility3 -f memory.dump windows.pslist

# Look for suspicious processes:
# - Unknown executables
- Processes with unusual parents
# - Hidden processes (compare with pstree)

Step 3: Extract Command Lines

volatility3 -f memory.dump windows.cmdline

# Find suspicious commands:
# - PowerShell with encoded commands
# - Downloads or curl/wget
# - Scheduled task creation

Step 4: Analyze Network Connections

volatility3 -f memory.dump windows.netstat

# Identify:
# - Established connections to external IPs
# - Listening ports
# - Suspicious remote addresses

Step 5: Extract Process Memory

# Dump entire process
volatility3 -f memory.dump windows.memmap --pid=PID > process_memory.bin

# Search for strings in memory
strings process_memory.bin | grep -i "HTB{"

# Or use Volatility's string scanning
volatility3 -f memory.dump windows.scanners.strings --pid=PID

Step 6: File Extraction

# Find files in memory
volatility3 -f memory.dump windows.filescan | grep -E "\.(exe|dll|txt|pdf)"

# Dump executable
volatility3 -f memory.dump -o /tmp/output/ windows.dumpfiles --filter iexplore.exe

Complete Volatility Analysis Script

#!/bin/bash

DUMP="memory.dump"
OUTPUT_DIR="./volatility_output"

mkdir -p "$OUTPUT_DIR"

echo "[*] Volatility 3 Memory Forensics Analysis"
echo "[*] Dump: $DUMP"

# System Information
echo "[+] System Information..."
volatility3 -f "$DUMP" windows.info > "$OUTPUT_DIR/1_system_info.txt"

# Process List
echo "[+] Process List..."
volatility3 -f "$DUMP" windows.pslist > "$OUTPUT_DIR/2_pslist.txt"
volatility3 -f "$DUMP" windows.pstree > "$OUTPUT_DIR/3_pstree.txt"

# Command Lines
echo "[+] Command Lines..."
volatility3 -f "$DUMP" windows.cmdline > "$OUTPUT_DIR/4_cmdline.txt"

# Network Connections
echo "[+] Network Connections..."
volatility3 -f "$DUMP" windows.netstat > "$OUTPUT_DIR/5_netstat.txt"

# DNS Cache
echo "[+] DNS Cache..."
volatility3 -f "$DUMP" windows.dnsache > "$OUTPUT_DIR/6_dnsache.txt"

# Environment Variables
echo "[+] Environment Variables..."
volatility3 -f "$DUMP" windows.envars > "$OUTPUT_DIR/7_envars.txt"

# Privileges
echo "[+] Process Privileges..."
volatility3 -f "$DUMP" windows.privileges > "$OUTPUT_DIR/8_privileges.txt"

# File Scan
echo "[+] File Scan..."
volatility3 -f "$DUMP" windows.filescan > "$OUTPUT_DIR/9_filescan.txt"

# String Scan (looking for flags)
echo "[+] Searching for flags..."
volatility3 -f "$DUMP" windows.strings | grep -i "HTB{" > "$OUTPUT_DIR/10_flags.txt"

# Process Memory Dump (for interesting processes)
echo "[+] Dumping process memory..."
for pid in $(grep -E "iexplore|powershell|cmd" "$OUTPUT_DIR/2_pslist.txt" | awk '{print $NF}'); do
    echo "  [+] Dumping PID $pid..."
    volatility3 -f "$DUMP" -o "$OUTPUT_DIR" windows.memmap --pid="$pid"
done

echo "[+] Analysis complete. Results in $OUTPUT_DIR"
grep -r "HTB{" "$OUTPUT_DIR" || echo "[-] No flags found in initial scan"

Step 7: Advanced Memory Scanning

For deeper analysis:

# Scan for specific strings across entire memory
volatility3 -f memory.dump windows.scanners.string --strings "flag" --size 256

# Look for registry keys
volatility3 -f memory.dump windows.registry.printkey --key "Software"

# Extract MFT (file metadata)
volatility3 -f memory.dump windows.mftparser > mft.txt

Key Forensics Techniques

• Memory Dump Analysis: Understanding volatile data structure
• Process Reconstruction: Building timeline from process artifacts
• String Scanning: Finding evidence in unstructured memory
• Network Forensics: Identifying C2 communications
• Memory Extraction: Recovering executables and files
• Artifact Timeline: Correlating multiple data sources
• Registry Analysis: Understanding system configuration changes

Key Takeaways

• Memory forensics captures volatile state lost after shutdown
• Volatility is the de facto standard for Windows memory analysis
• Multiple analysis methods (pstree, pslist, netstat) provide complementary views
• String scanning can locate sensitive data in memory
• Process injection and code caves can hide malicious behavior
• Network connections reveal C2 infrastructure
• Correlation of multiple artifacts builds stronger evidence
• Memory analysis complements disk forensics

Flag: HTB{m3m0ry_4r7if4c7s_r3v34l_4ll}