DFIR Blog
  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity

Memory Forensics

4. Name Game

3/31/2019

 
Picture
Picture

Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?

3/31/2019

 
Picture
vol.py -f OtterCTF.vmem --profile=Win7SP1x64 netscan

  • CTF{LunarMS} from process list
  • CTF{77.102.199.102} from netscan

Question 2:Let's start easy - whats the PC's name and IP address?

3/31/2019

 
Picture

vol.py -f OtterCTF.vmem --profile=Win7SP1x64 netscan
192.168.202.131


Otter Memory CTF - Question 1: What is the password?

3/31/2019

 
In this blog post, I'll be solving the Otter2018 Memory Forensics CTF Challenge. Alongside the challenge, I'll be share the key concept of memory forensics as well. The blog post will be an excellent start for the beginners. Lets start:

1) What is the password? The first question is for 100 Points:
You got a sample of rick's PC's memory. can you get his user password? format: CTF{...}
Image download link:
https://mega.nz/#!sh8wmCIL!b4tpech4wzc3QQ6YgQ2uZnOmctRZ2duQxDqxbkWYipQ



Solution: I'll be using "Volatility Foundation Volatility Framework 2.6" for the analysis of the memory image. Couple of things we need to do as soon as we get a memory image is to identify the profile of the image.

You can do it by simply running the following command:
vol.py  -f  '/home/ace/Documents/CTF/memory/OtterCTF.vmem'  imageinfo
Picture
Picture
 Investigation Tips: Lot of useful information here:
1) Suggested Image Profile: We'll use Win7SP1x64 for this case
2) Image Date and Time in UTC:  2018-08-04 19:34:22 UTC+0000

The first place to look for is lsasecrents use this command
vol.py -f OtterCTF.vmem --profile=Win7SP1x64 lsadump

Another cool plugin is mimikatz

Picture
Volatility offer an amazing plugin called 'clipboard' clipboard - Extract the contents of the windows clipboard. We'll use this plugin to see the content present in the clipboard.

Picture
This might be useful for future questions.



    Archives

    August 2019
    July 2019
    April 2019
    March 2019

    Categories

    All
    Ctf
    Defcon
    DFIR
    Forensics
    Memory
    Memory Forensics

    RSS Feed

  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity