Magnet Weekly CTF Challenge Week #11
Windows Memory Forensics
What is the IPv4 address that myaccount.google.com resolves to?
At the start of the memory challenge I had ran bulk_extractor over the image while I was working on the other questions. Reading some of the other writeups and the discord posts, users had been using the .pcap generated from bulk_extractor to answer the network based questions. I decided to give it a go for these questions. By simply searching for the string “google” we can see a DNS packet querying the domain “myaccount.google.com”.
In one of the answers we have an A record that returns the IP address of the domain, 184.108.40.206.
For this question, I’d be interested if you can find the answer in the DNS cache of the image using a Volatility plugin.
What is the canonical name (cname) associated with Part 1?
In the same packet, we have the CNAME record answer for the domain that was requested.