Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

Magnet Weekly CTF Challenge Week #10

Windows Memory Forensics

3 min readDec 14, 2020

--

Challenge 10

*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. *

What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”

I started this week with the netscan plugin

vol.py -f memdump.mem --profile=Win7SP1x64 netscan

From the netscan output, we can see there are 4 established connections

Press enter or click to view image in full size

The format in the question would suggest “172.253.63.188:443” is the answer, but I did a lookup up on the IP addresses which confirmed the answer.

Press enter or click to view image in full size

Answer: 172.253.63.188:443

Part 2

What was the Local IP address and port number? same format as part 1

Using the output as before, we can get the answer.

Answer: 192.168.10.146:54282

Part 3

What was the URL?

I jumped into Chrome history by dumping the History file found in the filescan output.

Press enter or click to view image in full size

Opening this up in DB Browser for SQLite, I used the following SQL query to join the urls and visits table.

SELECT datetime(visit_time / 1000000 + (strftime('%s', '1601-01-01')), 'unixepoch', 'utc') as time,*
FROM urls,visits
WHERE urls.id=visits.url
ORDER By time
Press enter or click to view image in full size

Answer: https://www.google.com

Part 4

What user was responsible for this activity based on the profile?

The history was from Warren’s user profile.

Answer: Warren

Part 5

How long was this user looking at this browser with this version of Chrome? *format: X:XX:XX.XXXXX * Hint: down to the last second

Using the following SQL query, we can get the total microseconds spent: 5165199902459

SELECT sum(visit_duration)
FROM visits

We can then try to format the answer to the question: X:XX:XX.XXXXX. I tried alot of different combinations for this question including:

d:hh:mm.ssss: 59:18:38.22459, 59:18:38.22, 59:18:38.23

hh:mm:ss.MM: 1434:46:39.902459, 1434:46:39, 1434:46:40

… and none of those worked. I took a hint for 5 points which was the following:

HINT: Solving this challenge takes some FOCUS & time :)

I couldn’t see any reference to foreground or focus time in the Chrome History db. I thought it could be to do with the SRUM foreground time but it seemed a bit off track.

I ran out of time for this one unfortunately! Look forward to reading the other players writeups

--

--

svch0st
svch0st

Written by svch0st

348 followers
6 following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech