We are provided with a Memory dump and was asked to decrypt the encrypted contents of an archive file.

To get the entire description and other details, visit Hacktoria.

We shall use Volatility to extract useful evidences from the provided memory dump.

For this challenge, I will be using Volatility 2. Get it from official github repo

Initial Analysis

Let’s start our analysis by finding the profile of the memory dump provided.

$ -f .\CompromisedSystemMem.vmem imageinfo

As you can see from the above image, the identified profile is: Win7SP1x86_23418

Let’s use that profile and check what all processes were running at the time of capturing this memory dump.

Running Processes

We shall use pslist plugin from volatility to get all the process that are running at the time of memory capture.

$ -f .\CompromisedSystemMem.vmem --profile=Win7SP1x86_23418 pslist

As we can see from the above image(highlighted in RED), processes, cmd.exe, conhost.exe and ipconfig.exe got exitted and the content might not be available in memory to investigate.

We can also see that notepad.exe process is running, which means, there are some text files open on the system when the memory capture.

To find these text files we can make use of handles or filescan plugins.

Finding the text file

We shall use the filescan plugin and grep through these entries to get all the text files.

$ -f .\CompromisedSystemMem.vmem --profile=Win7SP1x86_23418 filescan | Select-String "\.txt"

Two important things to notice are note.txt and Flag.txt files.

Let’s try to dump the Flag.txt file using dumpfiles plugin and check its retrieved contents.

$ -f .\CompromisedSystemMem.vmem --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003d9339a0 -D .

From the above image, we can see it is a Datasource object to the contents for this file have been retrieved successfully.

We can see that we have successfully retrieved the flag.



Now let’s use this flag as the password for the FLAGFILE provided to retrieve the contract card.