MemLabs: Last 3 challenges

[Write-up]

You can find the challenges here.

Challenge #4 — Obsession

  • Description

My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me.

  • Volatility Profile

C:\Users\mohammed\Desktop\MemLabs\Lab04 λ C:\Tools\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone.exe -f MemoryDump_Lab4.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (C:\Users\mohammed\Desktop\MemLabs\Lab04\MemoryDump_Lab4.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800027f60a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff800027f7d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-06-29 07:30:00 UTC+0000 Image local date and time : 2019-06-29 13:00:00 +0530

I chose the first suggested profile Win7SP1x64 as this is a small raw image, and imageinfo plugin is accurate enough.

  • Highlights

1 - A deleted file tells me that I should look into files’ artifacts.

  • Flag

I ran the pslist plugin on the image to see which processes were running at the time of acquisition. I immediately noticed StikyNote.exe was running, maybe the flag was there.

I dumped the process to see what it might contain. and I extracted the strings, and after consulting Google, I saw that it saves the notes in .snt files.

So, unfortunately, the flag was not here.

I told my self maybe the flag is stored in an image, as ususal.

I have a hunch that this screenshot was cropped. So I modified the hex to revert it back to its original dimensions.

Join