Open in app

Sign in

Write

Sign in

Magnet Weekly CTF Challenge Week #10

Windows Memory Forensics

svch0st
3 min readDec 14, 2020

Challenge 10

*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. *

What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”

I started this week with the netscan plugin

vol.py -f memdump.mem --profile=Win7SP1x64 netscan

From the netscan output, we can see there are 4 established connections

The format in the question would suggest “172.253.63.188:443” is the answer, but I did a lookup up on the IP addresses which confirmed the answer.

Answer: 172.253.63.188:443

Part 2

What was the Local IP address and port number? same format as part 1

Using the output as before, we can get the answer.

Answer: 192.168.10.146:54282

Part 3

What was the URL?

I jumped into Chrome history by dumping the History file found in the filescan output.

Opening this up in DB Browser for SQLite, I used the following SQL query to join the urls and visits table.

SELECT datetime(visit_time / 1000000 + (strftime('%s', '1601-01-01')), 'unixepoch', 'utc') as time,*
FROM urls,visits
WHERE urls.id=visits.url
ORDER By time

Answer: https://www.google.com

Part 4

What user was responsible for this activity based on the profile?

The history was from Warren’s user profile.

Answer: Warren

Part 5

How long was this user looking at this browser with this version of Chrome? *format: X:XX:XX.XXXXX * Hint: down to the last second

Using the following SQL query, we can get the total microseconds spent: 5165199902459

SELECT sum(visit_duration)
FROM visits

We can then try to format the answer to the question: X:XX:XX.XXXXX. I tried alot of different combinations for this question including:

d:hh:mm.ssss: 59:18:38.22459, 59:18:38.22, 59:18:38.23

hh:mm:ss.MM: 1434:46:39.902459, 1434:46:39, 1434:46:40

… and none of those worked. I took a hint for 5 points which was the following:

HINT: Solving this challenge takes some FOCUS & time :)

I couldn’t see any reference to foreground or focus time in the Chrome History db. I thought it could be to do with the SRUM foreground time but it seemed a bit off track.

I ran out of time for this one unfortunately! Look forward to reading the other players writeups

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

svch0st
svch0st

Written by svch0st

330 Followers
6 Following

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams