-

MAGNET WEEKLY CTF #9


 


 



This week begins our forensic analysis of information resident in the RAM of a Windows host when the memory was captured. The acquisition software created a .mem file that I 
examined using Volatility as well as MemProcFS.
MemProcFS allows the investigator to view the
memory dump files in a virtual file system,
allowing the files to be viewed using Windows Explorer.


Part 1involves a conversation:
 
 
 

My first step was to look at the image with Volatility, so I needed to get the image info...

...then use pslist, to get an idea of which processes were running.


Of the many options, two stood out to me as potentially containing text – slack and WINWORD: 

 
 
 I dumped the suspect processes to files...
 
 
...ran strings | grep "password" on all of them,
and discovered this:
 


 
 
Success!
 
 
On to Part 2:
 
 
 

At first, despite my suspicions at the solution was as simple as creating an MD5 hash of my 3180.dmp file, I tried it because, after all, that is technically the file that I recovered the password from.


 
No go. Keep digging...


A grep of "uncrackable_password" in the MemProcFS file output found this:
 

MD5 the file:
 

 
 
That's it!
 
Next, 
 

 
 A stat of the WRD0000.tmp file was frustrating
 

 
 
But a search of the auto-recovery .asd file yielded this:

 

 
 
That's the one!
 
On to Part 4:
 


 
 
A search of the MemProcFS linked Warren to the WRD0000.tmp file:
 
 
 
 
And a look at the associated sid.txt file reveals the user ID:
 



 
 
 

 

One more...





And a look at the SOFTWARE registry hive in MemProcFS gives us the version number of the software that
created the document:








and that's it for another week!






















 







Comments

Post a Comment

Popular posts from this blog

-
Image
  MAGNET WEEKLY CTF #4 This is the final question that refers to the Android image.   Thanks to the elephant-sized hint, I'll be narrowing my search to:   and search for a GUID, which will be in this format:   (according to Kalid Azad )   Following the philosophy of @CiofecaForensic and team NoToolsJustRight, I'm still using only open-source tools.   (Primarily because I believe that the best way to get the most complete answer is to know what is going on under the hood, but also because I'm a student without LEO or corporate access to the commercial toys.)   Starting with the awesome (especially in dark mode) ALEAPP from @AlexisBrignoni, I discovered this phishy item under recent activity : That looks like the answer, but is Effective_UID the same as the GUID?   I'm assuming it's related somehow, but the format is wrong. 10239 is not the enormous 128-bit number I'm looking for.   There's probably some way to view the GUID in ALEAPP, but it will require fu
Read more
-
Image
  MAGNET WEEKLY CTF #5 This is the first question that refers to  a Linux image shared by Ali Hadi, Assistant Professor at Vermont's Champlain College .     The question refers to the original filename of a block ID. The relationship between filenames and block ID's in Linux was not readily apparent to me, even after a Google search which led me to a SANS presentation by Kevvie Fowler which involved using hdfs terminal commands (only viable after loading Hadoop tools on Linux) and perfoming a "checkpoint" to ensure accurate results...maybe there's an easier way. My next stop after loading the file HDFS-MASTER.E01 into Autopsy was to check   /home/hadoop/.bash_history   to see if a file had been copied and enter the original filename as the flag. mapred-site.xml.template was not the answer, however.   Fortunately, I had multiple tries at the answer this week. A keyword search in Autopsy for the block ID: Turned up this related file: Which was not the answer, eit
Read more