Hello guys, today i wanted to share with you some little beginner friend memory forensic challenge from tryhackme, before we get started here is a link for the room  link:https://tryhackme.com/room/memoryforensics lets get started without westing time with this Before you start playing around with memory forensic its gud thing if you make some simple installation with volatility since because it can help you gather a lot of information about in memory forensic. I will assume that you have already installed volatility and from there you gud to go.  **Task 1**  i have already download the image for task one and is ready , so fire up you terminal. From the challenge discription above it , we have been given a memory dump and being asked to find all information in the memory dump as a forensic in investigator. For us to retrive john password from that disk dump we need first imageinfo of the memory dump we can do this **imageinfo** plugin  now we know that the profile of the memory dump from the suggestion can be **Win7SP1x64** we can try to dump the hash with the plugin (hashdump), so we can use the following command to get the hashes from the memory volatility -f Snapshot6.vmem --profile=Win7SP1x64 hashdump  Then since they need john password just copy the john hash and save it into a file and crack it, in cracking you can use different methods john,hashcat, and online (am going to use hashcat because is simple for me and easy)  as you can see over there i have copy the hash and input it into the hash.txt file and ready to being cracked , and my hashcat have just run without crack it , it because i have already cracked it so i justed used hashcat hash.txt /usr/share/wordlists/rockyou.txt --show **Method 2:** of cracking the hash it to copy the last hash part and crack it online with crackstation(47fbd6536d7868c873d5ea455f2fc0c9) **TASK 2**(make sure u download the second image)  task 2 is analysis part so we need we as forensic inverstigators to analyse the situation here , lets begin  **question 1:** last time the machine was shutdown we can use the following command to get the time, what is so important here is a **shutdowntime** plugin and a profile=Win7SP1x64 command: volatility -f Snapshot19.vmem --profile=Win7SP1x64 shutdowntime  and there finally we get the time **qustion 2:** under this question what we need is the cmdscan plugin to scan for what command john was typing in the terminal or cmd and normally this is being checked into command_history in windows  command: volatility -f Snapshot19.vmem --profile=Win7SP1x64 cmdscan  **TASK 3:** (last but not least) this question needs us to find the TrueCrypt passphase and we can only retrive this passphase with the following plugin  command: volatility -f Snapshot14.vmem --profile=Win7SP1x64 truecryptpassphrase  And there we can see we get the passphase and the memory location where is being located.