Image: memdump.mem | 224f93209cbea29e862890f30dfa762d
How’s Your Memory?
Which memory profile best fits the system?
We can use the volatility plugin imageinfo and kdbgscan to determine the suggested memory profile.
vol.py -f memdump.mem imageinfo
The output of imageinfo tells us it is some type of Win 7 or Win Server 2008 OS with 64 bit architecture. Out of the possible answers in the list, the closest is Win7SP1x64.
A: Win7SP1x64
Hash Slinging
What is the LM hash of the user’s account?
vol.py -f memdump.mem --profile=Win7SP1x64 hashdumpWe can use the profile we determined in the first question in combination with the hashdump plugin. The format for NTLM hashes are user:rid:lm:nt as seen in the output below:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Warren:1000:aad3b435b51404eeaad3b435b51404ee:2aa81fb8c8cdfd8f420f7f94615036b0:::A: aad3b435b51404eeaad3b435b51404ee
Cache Money
What is Warren’s Ignition Casino password? (Case Sensitive!!!!)
I started by dumping the Chrome internet history by first using filescan then finding the offset of the History.dat file to use in the dumpfiles plugin. I used the Nirsoft ChromeHistoryView tool to view the file.
vol.py -f memdump.mem --profile=Win7SP1x64 filescan > filescan.txtcat filescan.txt | grep Chrome | grep Historyvol.py -f memdump.mem --profile=Win7SP1x64 dumpfiles -Q 0x000000013fdc56b0 -n -D .
In the internet history, it looks like at one point he forgets his password to Ignition Casino and needs to reset it.
I spent a lot of time looking through Chrome and IE memdumps but found a lead in the WinWord.exe memdump hoping the user wrote their password down.
wow_this_is_an_uncrackable_password
When I tried this however, it was not the right answer. :(
I had bulk_extractor running in the background while I started the other questions. When it was done, I grep-ed over terms like ignition and the users email to see if there were any goodies. After sifting through some data I found a pretty good guess that turned out to be correct.
A: WHbigboy123
Never Tell Me The Odds…
It seems like Warren may have let his addictions slip into his work life… Find the program in question, recover it from memory, and give the SHA1 hash
Having a look at the Chrome Downloads (from the History.dat file dumped in the previous question), there is an entry for a Ignition Casino binary.
Here is where the binary was downloaded from.
If we find the offset of the file from the filescan output, we can use dumpfiles to extract it. From there, you can use sha1sum to get the hash.
IgnitionCasino.exe | 3b7ca3bb8d4fb2b6c287d6a247efd7c457937a3eA: 3b7ca3bb8d4fb2b6c287d6a247efd7c457937a3e
Compilation Station
When was IgnitionCasino.exe compiled? YYYY-MM-DD HH:MM:SS
Using PE-bear we find the time stamp in the headers of the PE.
A: 2020–02–12 12:01:35
