Tags: 2019 forensics topsecret newbiectf 


# **Forensics**
### ***Top Secret - 643***
He stole the virtual machine file containing the top secret of the enemy country.
However, due to the shortage of USB memory, I dumped only the memory that seemed to be the most important.
What is the secret of an enemy country? (Fake Flag file exists.)
### ***Solution***
* Download the given [https://drive.google.com/file/d/1eQMKWR8y-c2zPzqZFmncj0h8S7advhSm/view?usp=sharing ](File)
* The file is VMEM which is a virtual memory (RAM of virtual device).
* To analyse VMEM files, we can use [https://www.volatilityfoundation.org/26](Volatility) with this [https://github.com/volatilityfoundation/volatility/wiki/Command-Reference](Reference)
* But we can also solve this task by simply finding strings since we know the flag format
* `strings "Windows 7 Enterprise K-b94208dd.vmem" | grep -oE "KorNewbie{.*}"`

Original writeup (https://sp0il3rs.github.io/write-ups/#newbiectf).