This was probably the easiest memory forensics challenge that I ever attempted. Sadly I could not get the first blood in this as I had to leave for dinner 😛
Challenge Description
The description does not provide anything, so let us look at the file 🙂
Link to challenge file: Mega Link
Solution
Okay, let us take a look at the challenge file. It is a WindowsXP memory dump.
Hmm, let me see the command history using the cmdscan plugin

Okay, let us have a look what files are present in the above-mentioned directory/folder.

Next step is quite predictable, dump the file. Simple,
$ volatility -f husky_memory.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002c5dd18 -D .
Let us analyze what file is this. Let us open it in a hex editor

So after correcting the archive, we see that it is a locked archive. Hmm, have to search for the password. Luckily I guessed that the folder-name was in l33t, so it could be the password. Voila, and we got the flag.
ISITDTU{1_l0v3_huskyyyyyyy<3}
Thanks!!
Leave a Reply