This writeup will go over the solution for the hard forensics challenge named Reflection. To solve this challenge, a player needs to detect and retrieve an injected malicious DLL file from a memory dump.
You and Miyuki have succeeded in dis-empowering Draeger's army in every possible way. Stopped their fuel-supply plan, arrested their ransomware gang, prevented massive phishing campaigns, and understood their tactics and techniques in depth. Now it is the time for the final blow. The final preparations are completed. Everyone is in their stations waiting for the signal. This mission can only be successful if you use the element of surprise. Thus, the signal must remain a secret until the end of the operation. During some last-minute checks, you notice some weird behavior in Miyuki's PC. You must find out if someone managed to gain access to her PC before it's too late. If so, the signal must change. Time is limited, and there is no room for errors.
For this challenge, we are given a memory dump. Usually, when dealing with a memory forensics challenge, our tool of choice is volatility.
Firstly, we need to determine the proper profile for volatility to analyse the sample. The command imageinfo can identify the OS, architecture, and more.
python2 volatility/vol.py -f memory.raw imageinfo
The profile is: Win7SP1x86_23418.
A good first step is to enumerate the running processes when analysing a memory dump. The command pstree can print the process list as a tree.
python2 volatility/vol.py -f memory.raw --profile=Win7SP1x86_23418 pstree