Magnet Weekly CTF Challenge Week #9

Windows Memory Forensics

Part 1

https://svch0st.medium.com/magnet-virtual-summit-2020-ctf-memory-7927c755a182

Part 2

vol.py -f memdump.mem --profile=Win7SP1x64 handles -p 3180 -t File
cat filescan.txt | grep .doc
cat filescan.txt | grep .txt
cat filescan.txt | grep Document
vol.py -f memdump.mem --profile=Win7SP1x64 dumpfiles -Q 0x000000013e6de810 -D .

Part 3

vol.py -f memdump.mem --profile=Win7SP1x64 mftparser --output-file=mft.txt

Part 4

Part 5

Part 6

strings -o memdump.mem > strings.txt
1274225055:wow_this_is_an_uncrackable_password

Part 7