MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics.

The labs given by @_abhiramkumar are really useful for the beginners to start with Memory Forensics.

The memory files and Descriptions are available in his github repo.
If you are having any troubles in the commands used, you can refer volatility command referance.

Lab - 1 Writeup

We are provided with the windows 7 memory dump. To know which OS’s memory dump we have, we can use imageinfo plugin to find the profile. Let’s begin with the initial level of analysis.

$ Volatility -f MemoryDump_Lab1.raw imageinfo

imageinfo output

As we got the profile, we can use it and get the processes running in at the time for memory capture.

$ volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist

pslist output
pslist output

As we see above cmd, mspaint and WinRAR are the active running processes.

Flag - 1

So let us see what is there in cmd.exe.

$ volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles

consoles output
You can see a base64 string. After decoding base64, we got the first flag: flag{th1s_1s_th3_1st_st4g3!!}

Flag - 2

As mspaint is also an active running process, Let us check it out.
To find what is running in mspaint, first we need to take dump the mspaint.exe (PID 2424) as shown below.

$ volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 memdump -p 2424 -D dump

Memdump MSPaint
Next, we need to change the extension of 2424.dmp to 2424.data. And we need to open 2424.data using GIMP(GNU Image Manipulation Program).
After opening the image using GIMP, this is what we got,

load in gimp

After changing the values of width and height using up and down arrows, We will somehing similar to this.

mogify height and width

After modifying the image to understandable side, we will get something similar to this,

flag - 2

Here you get the second flag.
Flag: flag{G00d_BoY_good_girL}

Flag - 3

As WinRAR is also running that means some sort of archive has been opened. So let us check for an archive in the given memory dump.

$ volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan | grep Documents

Documents filescan output

Here, we can see a file Important.rar in Documents Folder. So we will dump it and check it.

$ volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa3ebc0 -D dump

Dumpfiles Important.rar

However, the archive is password protected. Also, brute-forcing for the password is not at all intended. So let us use unrar command and check what we get.

unrar output

It’s written that, “Password is NTLM hash(in uppercase) of Alissa’s account passwd”.
We can get Alissa’s account NTLM hash from hashdump.

$ volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump

hashdump output

So using the Alissa Simpson’s hash (f4ff64c8baac57d22f22edc681055ba6) in upper case and entering it as the password for RAR, we get the flag.

So finally we get the third flag.

flag - 3

That’s how you finish this MemLabs, Lab – 1.

If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi