π Overview
This project focuses on analyzing a memory dump (Emperor.vmem) to extract credentials, decrypt an encrypted archive, and recover hidden artifacts. The investigation simulates a real-world DFIR scenario involving encrypted data, decoy files, and memory artifact extraction using the Volatility Framework.
π Key Skills Demonstrated
- Memory forensics (Volatility)
- OS profile identification & kdbgscan analysis
- Credential extraction via
strings+grep - Encrypted archive deconstruction (7z)
- MD5 hash identification & validation
- Investigative triage of decoy files
- Linux terminal workflow
π οΈ Tools Used
- Volatility 2.6 β Extract OS profile, analyze memory, enumerate processes
- strings + grep β Locate username/password artifacts in memory
- 7zip β Extract encrypted
.7zarchive - Linux Terminal β Full command-line analysis environment
π§ͺ Investigation Summary
- Identified suspicious encrypted file
gift.7z - Located hidden reference to
ew4!suspicious.docx - Analyzed
Emperor.vmemto determine OS profile (Win2016x64_14393) - Used
strings | grepto extract credentials from memory image - Decrypted archive & uncovered
secrets.txt - Extracted MD5 hash: 0f235385d25ade312a2d151a2cc43865**
π MITRE ATT&CK Mapping
- TA0006 β Credential Access**
- T1003 β OS Credential Dumping**
- T1555 β Credentials from Encrypted Files**
π Full Report
See: (https://github.com/user-attachments/files/23512460/Imperial.Memory.report.docx.pdf)