Statement

State of the art
A memory dump <3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| $ volatility -f challenge.dmp imageinfo
[Some garbage errors]
Suggested Profile(s) : Win10x64_17134, Win10x64_10240_17770, Win10x64_14393, Win10x64_10586, Win10x64, Win2016x64_14393, Win10x64_16299, Win10x64_15063 (Instantiated with Win10x64_15063)
AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
AS Layer2 : WindowsCrashDumpSpace64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/monique/Téléchargements/bretstiles/challenge.dmp)
PAE type : No PAE
DTB : 0x1aa000L
KDBG : 0xf80150ad4a60L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff80150b2d000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2018-11-05 20:50:14 UTC+0000
Image local date and time : 2018-11-05 12:50:14 -0800
|
Yay Windows 10… :'(
Find the right profile
First things to do is finding the correct Windows 10 profile for volatility. After some test, I finally find: Win10x64_10586
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| $ volatility -f challenge.dmp --profile=Win10x64_10586 pstree
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xffffe0009342b680:System 4 0 103 0 2018-11-05 20:47:01 UTC+0000
. 0xffffe00094897040:smss.exe 272 4 3 0 2018-11-05 20:47:01 UTC+0000
.. 0xffffe000952c6080:smss.exe 412 272 0 ------ 2018-11-05 20:47:08 UTC+0000
... 0xffffe000951e8540:csrss.exe 432 412 10 0 2018-11-05 20:47:08 UTC+0000
... 0xffffe00095395080:winlogon.exe 484 412 5 0 2018-11-05 20:47:08 UTC+0000
.... 0xffffe0009566d640:dwm.exe 772 484 12 0 2018-11-05 20:47:09 UTC+0000
.... 0xffffe00095ddc680:userinit.exe 2332 484 0 ------ 2018-11-05 20:47:33 UTC+0000
..... 0xffffe00095dda500:explorer.exe 2348 2332 58 0 2018-11-05 20:47:33 UTC+0000
...... 0xffffe00096164080:OneDrive.exe 3328 2348 18 0 2018-11-05 20:47:53 UTC+0000
...... 0xffffe000961ae3c0:mspaint.exe 3372 2348 7 0 2018-11-05 20:47:56 UTC+0000
...... 0xffffe000961257c0:VBoxTray.exe 3252 2348 13 0 2018-11-05 20:47:52 UTC+0000
...... 0xffffe0009474f080:cmd.exe 2144 2348 5 0 2018-11-05 20:50:05 UTC+0000
....... 0xffffe00094841080:conhost.exe 3352 2144 3 0 2018-11-05 20:50:05 UTC+0000
0xffffe00095df8080:NisSrv.exe 2112 524 7 0 2018-11-05 20:47:30 UTC+0000
[...]
|
It looks to work, let’s continue the analysis.
File list
In a forensic challenge, I immediately list all opened file in memory, using filescan
plugin:
1
2
3
4
5
6
7
8
9
10
11
| $ volatility -f challenge.dmp --profile=Win10x64_10586 filescan > filescan.txt
$ cat filescan.txt| grep John | grep Desktop
0x0000e000948df780 32768 1 R--rwd \Device\HarddiskVolume2\Users\John\Desktop
0x0000e000956917a0 2 0 R--rwd \Device\HarddiskVolume2\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini
0x0000e00095e65320 32768 1 R--rwd \Device\HarddiskVolume2\Users\John\Desktop
0x0000e00095f03090 16 0 R--rwd \Device\HarddiskVolume2\Users\John\Desktop\desktop.ini
0x0000e0009600df20 2 0 R--rwd \Device\HarddiskVolume2\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
0x0000e00096087a20 2 0 R--rwd \Device\HarddiskVolume2\Users\John\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini
0x0000e0009608abe0 8 0 R--r-d \Device\HarddiskVolume2\Users\John\Desktop\bob.png
0x0000e000960c0700 32768 1 R--rw- \Device\HarddiskVolume2\Users\John\Desktop
|
We can notice “bob.png” on the Desktop, let’s extract it:
1
| $ volatility -f challenge.dmp --profile=Win10x64_10586 dumpfiles -Q 0x0000e000960c0700 -D .
|
Aaaaaaaaaand… Nothing. Ok, not a problem, I got more than one trick in my hat :D
Process memory dump in GIMP
During my search for a correct profile, I noticed the mspaint.exe
process. According to this website: https://w00tsec.blogspot.com/2015/02/extracting-raw-pictures-from-memory.html
I tried to dump the process memory and open it in GIMP as raw picture.
1
2
3
4
5
| $ volatility -f challenge.dmp --profile=Win10x64_10586 memdump -p 3372 -D .
************************************************************************
Writing mspaint.exe [ 3372] to 3372.dmp
$ mv 3372.dmp mspaint.data
|
After few minutes burning my eyes, I finally found the Graal:

Flag
IMTLD{1m4gin4ti0N}
Fun fact
You can use strings
and grep
, best friends of forensic analysts:
