Magnet Weekly CTF Challenge Week #10
Windows Memory Forensics
*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. *
What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”
I started this week with the netscan plugin
vol.py -f memdump.mem --profile=Win7SP1x64 netscan
From the netscan output, we can see there are 4 established connections
The format in the question would suggest “188.8.131.52:443” is the answer, but I did a lookup up on the IP addresses which confirmed the answer.
What was the Local IP address and port number? same format as part 1
Using the output as before, we can get the answer.
What was the URL?
I jumped into Chrome history by dumping the History file found in the filescan output.
Opening this up in DB Browser for SQLite, I used the following SQL query to join the urls and visits table.
SELECT datetime(visit_time / 1000000 + (strftime('%s', '1601-01-01')), 'unixepoch', 'utc') as time,*
ORDER By time
What user was responsible for this activity based on the profile?
The history was from Warren’s user profile.
How long was this user looking at this browser with this version of Chrome? *format: X:XX:XX.XXXXX * Hint: down to the last second
Using the following SQL query, we can get the total microseconds spent:
We can then try to format the answer to the question: X:XX:XX.XXXXX. I tried alot of different combinations for this question including:
d:hh:mm.ssss: 59:18:38.22459, 59:18:38.22, 59:18:38.23
hh:mm:ss.MM: 1434:46:39.902459, 1434:46:39, 1434:46:40
… and none of those worked. I took a hint for 5 points which was the following:
HINT: Solving this challenge takes some FOCUS & time :)
I couldn’t see any reference to foreground or focus time in the Chrome History db. I thought it could be to do with the SRUM foreground time but it seemed a bit off track.
I ran out of time for this one unfortunately! Look forward to reading the other players writeups