Magnet Weekly CTF Challenge Week #12

Windows Memory Forensics

Part 1

What is the PID of the application where you might learn “how hackers hack, and how to stop them”?

Format: #### Warning: Only 1 attempt allowed!

From investigating the internet history in the previous questions, I remember an IE search similar to the quote in the question.

This search was for “how to stop getting hacked over and over” found in the bulk_extractor output which was also in the IE History.

There may be a much more elegant solution to find the quote in the question but I just visited the URL in IE and found a YouTube video by SciShow with a matching title.

I dumped the two iexplore.exe processes that were listed in pslist.

vol.py -f memdump.mem --profile Win7SP1x64 memdump -n iexplore -D .
Writing iexplore.exe [  2984] to 2984.dmp
Writing iexplore.exe [  4480] to 4480.dmp

I hoped to look at the memory for these processes to see if one of the dumps has the string I was looking for.

Below, the dump for the PID 4480 contained a link to the video called “How Hackers Hack, and How To Stop Them”:

Answer: 4480

Part 2

What is the product version of the application from Part 1?

XX.XX.XXXX.XXXXX

The first place I thought to check was in the registry. There is a value svcversion in the key HKLM\Software\Microsoft\Windows\Internet Explorer however when I tried to run printkey it didn’t come back with anything. This may have been that this key was just not in memory at the time the image was taken.

I decided to try another option by looking at the process itself. It may have the version number in the binary information. I used procdump with the PID from the last question to dump out the iexplore binary.

Looking at the details of the binary for iexplore.exe, we can see the Product Version:

Answer: 11.00.9600.18858