Tags: volatility forensics

Rating: 4.0

**Summary :
** You were presented with a image where you need to analyze and extract the data.

** What you will learn from it :
** * String analysis
* Binary Extraction : RAW or DD images just contain the data from the original source, and nothing else. Any hash data etc is usually stored in a separate log file that is generally stored with the image file.
* Retrieving sensitive files in raw files.

**How we solved it :
** In order to solve there were many ways , the shortest way is to use **Yarascan** along with volatlity..

Command : volatility -f foren.raw --profile=Win7SP1x64 yarascan -Y "FwordCTF{" -p 3700,3752,2560,3304,3304,3528,616,540,3816,2516,3992

**Explanation** :
How to you get the profile : volatility imageinfo -f foren.raw
Yarscan : YARA is a tool designed to help malware researchers identify and classify malware samples. In general it compares the hashsets which it has alongside malware samples

**Output** :

Owner: Process chrome.exe Pid 2560
0x0de50f6f 46 77 6f 72 64 43 54 46 7b 74 6f 70 5f 73 65 63 FwordCTF{top_sec
0x0de50f7f 72 65 74 5f 63 68 61 6e 6e 65 6c 7d 20 3a 45 6e ret_channel}.:En
0x0de50f8f 64 20 6f 66 20 2f 4e 41 4d 45 53 20 6c 69 73 74 d.of./NAMES.list
0x0de50f9f 2e 22 5d 20 3a 73 74 72 6f 73 73 2e 66 72 65 65 ."].:stross.free
0x0de50faf 6e 6f 64 65 2e 6e 65 74 20 33 37 32 20 53 65 6d node.net.372.Sem
0x0de50fbf 61 68 42 41 20 3a 2d 20 20 22 5d 81 71 61 5b 22 ahBA.:-.."].qa["
0x0de50fcf 3a 31 20 3a 73 74 72 6f 73 73 2e 66 72 65 65 6e :1.:stross.freen
0x0de50fdf 6f 64 65 2e 6e 65 74 20 33 37 32 20 53 65 6d 61 ode.net.372.Sema
0x0de50fef 68 42 41 20 3a 2d 20 49 66 20 79 6f 75 20 61 72 hBA.:-.If.you.ar
0x0de50fff 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 61 73 e.looking.for.as
0x0de5100f 73 69 73 74 61 6e 63 65 2c 20 79 6f 75 20 6d 61 sistance,.you.ma
0x0de5101f 79 20 62 65 20 61 62 6c 65 20 74 6f 20 66 69 6e y.be.able.to.fin
0x0de5102f 64 20 61 20 6c 69 73 74 20 6f 66 20 22 5d 81 73 d.a.list.of."].s
0x0de5103f 61 5b 22 3a 31 20 3a 73 74 72 6f 73 73 2e 66 72 a[":1.:stross.fr
0x0de5104f 65 65 6e 6f 64 65 2e 6e 65 74 20 33 37 32 20 53 eenode.net.372.S
0x0de5105f 65 6d 61 68 42 41 20 3a 2d 20 76 6f 6c 75 6e 74 emahBA.:-.volunt

based on the output we concluded top_secret_channel which is flag.

Hope you like the writeup, Alternatively you can use volatilty workbench of passmark/osforensics which were shareware among market