Magnet Weekly CTF Challenge Week #10

Windows Memory Forensics

Challenge 10

*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. *

What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”

I started this week with the netscan plugin

From the netscan output, we can see there are 4 established connections

The format in the question would suggest “172.253.63.188:443” is the answer, but I did a lookup up on the IP addresses which confirmed the answer.

Answer: 172.253.63.188:443

Part 2

What was the Local IP address and port number? same format as part 1

Using the output as before, we can get the answer.

Answer: 192.168.10.146:54282

Part 3

What was the URL?

I jumped into Chrome history by dumping the History file found in the filescan output.

Opening this up in DB Browser for SQLite, I used the following SQL query to join the urls and visits table.

Answer: https://www.google.com

Part 4

What user was responsible for this activity based on the profile?

The history was from Warren’s user profile.

Answer: Warren

Part 5

How long was this user looking at this browser with this version of Chrome? *format: X:XX:XX.XXXXX * Hint: down to the last second

Using the following SQL query, we can get the total microseconds spent: 5165199902459

We can then try to format the answer to the question: X:XX:XX.XXXXX. I tried alot of different combinations for this question including:

d:hh:mm.ssss: 59:18:38.22459, 59:18:38.22, 59:18:38.23

hh:mm:ss.MM: 1434:46:39.902459, 1434:46:39, 1434:46:40

… and none of those worked. I took a hint for 5 points which was the following:

I couldn’t see any reference to foreground or focus time in the Chrome History db. I thought it could be to do with the SRUM foreground time but it seemed a bit off track.

I ran out of time for this one unfortunately! Look forward to reading the other players writeups