Tags: forensic

Rating:

# Top Secret

After downloading and unzipping the archive I got the file named "Windows 7 Enterprise K-b94208dd.vmem". Seems like it's a job for Volatility Framework. So let's get started.

## Solution

First of all, I determine the profile of the dump. Well, actually, first of all, I have renamed the file to 'dump'. Just to make the name shorter.

![imageinfo](./src/imageinfo.png)

Now that I know it's Win7SP1x86_23418, I can start to analyze the dump. Let's see the process list.

![pslist](./src/pslist.png)

There are two processes I am most interested in. They are chrome.exe and notepad.exe (although there are some other processes I could look at). First, I wanted to look at chrome's history.

![chromehistory](./src/chromehistory.png)

And here I found a few images, one of them is called flag.png. So that's must be something useful! But it's not, after looking at these images with stegsolve, exiftool and binwalk I found out these images are totally useless. So let's keep digging.

I decided to look at notepad.exe and dumped its memory. It took a while.

![memdump](./src/memdump.png)

Next, I fetched strings from dump and used grep "KorNewbie"

![flag](./src/flag.png)

The flag is KorNewbie{OH..You_Know_B4sic_0F_M3mory_Forensics!}

Original writeup (https://github.com/0awawa0/CTF-Writeups/tree/master/Newbie%20CTF%202019/Top%20Secret).