Magnet Weekly CTF Challenge Week #11

Windows Memory Forensics

2 min readDec 22, 2020

Part 1

What is the IPv4 address that resolves to?

At the start of the memory challenge I had ran bulk_extractor over the image while I was working on the other questions. Reading some of the other writeups and the discord posts, users had been using the .pcap generated from bulk_extractor to answer the network based questions. I decided to give it a go for these questions. By simply searching for the string “google” we can see a DNS packet querying the domain “”.

In one of the answers we have an A record that returns the IP address of the domain,


For this question, I’d be interested if you can find the answer in the DNS cache of the image using a Volatility plugin.

Part 2

What is the canonical name (cname) associated with Part 1?

In the same packet, we have the CNAME record answer for the domain that was requested.