This was probably the easiest memory forensics challenge that I ever attempted. Sadly I could not get the first blood in this as I had to leave for dinner 😛
The description does not provide anything, so let us look at the file 🙂
Link to challenge file: Mega Link
Okay, let us take a look at the challenge file. It is a WindowsXP memory dump.
Hmm, let me see the command history using the cmdscan plugin
Okay, let us have a look what files are present in the above-mentioned directory/folder.
Next step is quite predictable, dump the file. Simple,
$ volatility -f husky_memory.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002c5dd18 -D .
Let us analyze what file is this. Let us open it in a hex editor
So after correcting the archive, we see that it is a locked archive. Hmm, have to search for the password. Luckily I guessed that the folder-name was in l33t, so it could be the password. Voila, and we got the flag.