Open in app

Sign in

Write

Sign in

Magnet Weekly CTF Challenge Week #10

Windows Memory Forensics

svch0st
3 min readDec 14, 2020

Challenge 10

*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. *

What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”

I started this week with the netscan plugin

vol.py -f memdump.mem --profile=Win7SP1x64 netscan

From the netscan output, we can see there are 4 established connections

The format in the question would suggest “172.253.63.188:443” is the answer, but I did a lookup up on the IP addresses which confirmed the answer.

Answer: 172.253.63.188:443

Part 2

What was the Local IP address and port number? same format as part 1

Using the output as before, we can get the answer.

Answer: 192.168.10.146:54282

Part 3

What was the URL?

I jumped into Chrome history by dumping the History file found in the filescan output.

Opening this up in DB Browser for SQLite, I used the following SQL query to join the urls and visits table.

SELECT datetime(visit_time / 1000000 + (strftime('%s', '1601-01-01')), 'unixepoch', 'utc') as time,*
FROM urls,visits
WHERE urls.id=visits.url
ORDER By time

Answer: https://www.google.com

Part 4

What user was responsible for this activity based on the profile?

The history was from Warren’s user profile.

Answer: Warren

Part 5

How long was this user looking at this browser with this version of Chrome? *format: X:XX:XX.XXXXX * Hint: down to the last second

Using the following SQL query, we can get the total microseconds spent: 5165199902459

SELECT sum(visit_duration)
FROM visits

We can then try to format the answer to the question: X:XX:XX.XXXXX. I tried alot of different combinations for this question including:

d:hh:mm.ssss: 59:18:38.22459, 59:18:38.22, 59:18:38.23

hh:mm:ss.MM: 1434:46:39.902459, 1434:46:39, 1434:46:40

… and none of those worked. I took a hint for 5 points which was the following:

HINT: Solving this challenge takes some FOCUS & time :)

I couldn’t see any reference to foreground or focus time in the Chrome History db. I thought it could be to do with the SRUM foreground time but it seemed a bit off track.

I ran out of time for this one unfortunately! Look forward to reading the other players writeups

--

--

svch0st

Written by svch0st

302 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams