HackTheBox Forensics Challenge (Reminiscent) Write-Up
- contactalex871
- Feb 25
- 1 min read
Step 1: Install volatility 3
Step 2: check the list of processes in the captured RAM image
(can’t tell much simply from this, but will refer back to this later)
Step 3: check live connections
From the given file Resume.eml, there’s an IP address that has the resume file.
By doing a netscan, the powershell.exe has the same IP address. That looks suspicious.
*port 80 is the port number assigned to commonly used internet communication protocol.
(shown below)
Step 4: check the command line used in calling powershell.exe
(the PID for powershell.exe is 2752)
Step 5: store the string after -enc and decode it using base64.
Comments