We are provided with a Windows 7 memory dump. Let’s begin our initial analysis.

Initial Analysis

$ volatility -f MemoryDump_Lab4.raw --profile=Win7SP1x64 pslist

pslist
pslist

There is nothing quite interesting in the pslist output except for the Sticky Note process. Hmm, perhaps there is something written in it.

Just to keep it short, there was nothing important written in the clipboard. It was a small rabbit hole.

Now let us proceed to the files present in the system.

$ volatility -f MemoryDump_Lab4.raw --profile=Win7SP1x64 filescan | grep Desktop

filescan
filescan

There are interesting files present on the desktop. The files Important.txt, galf.jpeg & Screenshot1.png are of special interest. Let us try to dump them :)

$ volatility -f MemoryDump_Lab4.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8ad250 -D dump

Now we have dumped the file galf.jpeg. However, doing basic steg techniques on the file yield nothing. So it is useless.

$ volatility -f MemoryDump_Lab4.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8d19e0 -D dump

Now we have dumped the file Screenshot1.png. However on doing basic steg techniques on the file yield nothing. so it is useless.

Flag

One important thing in this lab and also the main exploit is to get the data present in the file Important.txt. However, dumpfiles will not be able to dump the required file as it has been deleted. However, its contents are still present in memory. If you fundamentally understand the Master File Table(MFT), you would know that we can access the data as long as the data blocks are overwritten.

For this, we take the help of the mftparser plugin.

$ volatility -f MemoryDump_Lab4.raw --profile=Win7SP1x64 mftparser > mft.txt

So let us search for the data blocks of the file Important.txt

mft

Aha! Now we see the characters of the flag separated by irregular number of spaces.

So, combining them we got the flag: inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3}.

That’s how you finish this MemLabs, Lab – 4.

If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi