Magnet Weekly CTF Challenge Week #12
Windows Memory Forensics
What is the PID of the application where you might learn “how hackers hack, and how to stop them”?
Format: #### Warning: Only 1 attempt allowed!
From investigating the internet history in the previous questions, I remember an IE search similar to the quote in the question.
This search was for “how to stop getting hacked over and over” found in the bulk_extractor output which was also in the IE History.
There may be a much more elegant solution to find the quote in the question but I just visited the URL in IE and found a YouTube video by SciShow with a matching title.
I dumped the two iexplore.exe processes that were listed in pslist.
vol.py -f memdump.mem --profile Win7SP1x64 memdump -n iexplore -D .Writing iexplore.exe [ 2984] to 2984.dmp
Writing iexplore.exe [ 4480] to 4480.dmp
I hoped to look at the memory for these processes to see if one of the dumps has the string I was looking for.
Below, the dump for the PID 4480 contained a link to the video called “How Hackers Hack, and How To Stop Them”:
What is the product version of the application from Part 1?
The first place I thought to check was in the registry. There is a value
svcversion in the key
HKLM\Software\Microsoft\Windows\Internet Explorer however when I tried to run
printkey it didn’t come back with anything. This may have been that this key was just not in memory at the time the image was taken.
I decided to try another option by looking at the process itself. It may have the version number in the binary information. I used procdump with the PID from the last question to dump out the iexplore binary.
Looking at the details of the binary for
iexplore.exe, we can see the Product Version: