You can find the challenges here.

• Description

My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me.

• Volatility Profile

I chose the first suggested profile Win7SP1x64 as this is a small raw image, and imageinfo plugin is accurate enough.

• Highlights

1 - A deleted file tells me that I should look into files’ artifacts.

• Flag

I ran the pslist plugin on the image to see which processes were running at the time of acquisition. I immediately noticed StikyNote.exe was running, maybe the flag was there.

I dumped the process to see what it might contain. and I extracted the strings, and after consulting Google, I saw that it saves the notes in .snt files.

So, unfortunately, the flag was not here.

I told my self maybe the flag is stored in an image, as ususal.

I have a hunch that this screenshot was cropped. So I modified the hex to revert it back to its original dimensions.

I laughed so hard. The flag was not here. Good one, buddy.

I gave it a wild shot with filescan to see common files (.txt, .jpeg, etc.). And there is a text file named Important.txt

However, when I tried to dump it, it fails because the file was deleted.

Because I solved a good number of Forensics challenges, I remembered that Windows saves file entries in the Master File Table (MFT).

I used mftparser plugin to dump the MFT in a text file to look for this text file. I grepped it and the flag was there :)

inctf{1_is_n0t_EQu4l_7o_2_xxxxxxxxxxxxxxx}

• Description

We received this memory dump from our client recently. Someone accessed his system when he was not there and he found some rather strange files being accessed. Find those files and they might be useful. I quote his exact statement

The names were not readable. They were composed of alphabets and numbers but I wasn't able to make out what exactly it was.

• Volatility Profile

I chose the first suggested profile Win7SP1x64 as this is a small raw image, and imageinfo plugin is accurate enough.

• Highlights

1 - “Someone accessed his system” tells me that there is something related to Internet.

2 - “Were not readable“ tells me that there is something related to encryption, or compression.

• Flag 1

I ran the iehistory plugin on the image to see which the internet history at the time of acquisition. There was the first flag.

flag{!!_w3LL_d0n3_St4g3-1_0f_Lxxxxxxxxxxxxxxx}

• Flag 2

I ran the pslist plugin on the image to see which processes were running at the time of acquisition. I immediately noticed that there is more that one process named notepad.exe and WinRAR.exe

I went to see the command line. There is a .rar file.

I dumped it.

There is a note in the challenge, saying in order to get the 2nd flag, we need the first one. So, my guess is that the password is the first the flag.

flag{W1th_th1s_$taGe_2xxxxxxxxxxxxxxxxxxx}

• Flag 3

The challenge is not DONE. There is a 3rd flag somewhere.

I went to check the notepad.exe process. Maybe the garbled text the user alluded to is a debugger or a disassembler. I opened it with the beloved IDA, and the flag was really there.

bi0s{M3m_l4B5_xxxxxxxxxxxx}

• Description

We received this memory dump from the Intelligence Bureau Department. They say this evidence might hold some secrets of the underworld gangster David Benjamin. This memory dump was taken from one of his workers whom the FBI busted earlier this week. Your job is to go through the memory dump and see if you can figure something out. FBI also says that David communicated with his workers via the internet so that might be a good place to start.

• Volatility Profile

I chose the first suggested profile Win7SP1x64 as this is a small raw image, and imageinfo plugin is accurate enough.

• Highlights

1 - Internet tells me that browsers or internet history.

• Flag 1 — 1st half

I ran the envars plugin. I noticed that there is a manual added entry.

So, there is a .rar file.

So, this is the second part of the flag. Let me see the history of the browsers. There are two browsers: chrome and firefox.

• Flag 1 — 2nd half

I dumped the two files that stores the history of both browsers: [firefox: places.sqlite, chrome: History.sqlite]

I opened History.sqlite using SQLite Browser.

I saw a pastebin. Then, I opened it.

There is Google Docs share, and a note that the key is sent to David by email.

After opening the share doc, I skimmed the file and noticed a Mega link. I opened it, and it was encrypted with a key.

Then I opened places.sqlite file to see the history of firefox.

There is the key in plaintext. I pasted it in the Mega link and saw a .png image.

The .png image was corrupted. So, I examined it with a hex editor.

I noticed a small change in the header. Usually, png images start with IHDR (with capital I NOT with i).