Magnet Weekly CTF Challenge Week #11

Windows Memory Forensics

Part 1

What is the IPv4 address that myaccount.google.com resolves to?

At the start of the memory challenge I had ran bulk_extractor over the image while I was working on the other questions. Reading some of the other writeups and the discord posts, users had been using the .pcap generated from bulk_extractor to answer the network based questions. I decided to give it a go for these questions. By simply searching for the string “google” we can see a DNS packet querying the domain “myaccount.google.com”.

In one of the answers we have an A record that returns the IP address of the domain, 172.217.10.238.

Answer: 172.217.10.238

For this question, I’d be interested if you can find the answer in the DNS cache of the image using a Volatility plugin.

Part 2

What is the canonical name (cname) associated with Part 1?

In the same packet, we have the CNAME record answer for the domain that was requested.

Answer: www3.l.google.com