Tags: memory_dump forensics registry volatility
Rating:
## Memory 4
### Tags: Memory Forensics, Volatility, Memory Dump, Registry, Subkey, Key, Value, Hive, Windows 7
I didn't do the previous Memory challenge because it was solved by another teammate.
[Volatility](https://github.com/volatilityfoundation/volatility) is a great tool for memory forensics, it has many modules and commands to explore a memory dump. You should experiment with it if you're just starting in forensics territory. The `imageinfo` command, which spits out the probable OS of the memory dump, gave us info that this is a Windows 7 64-bit. So we're using `Win7SP1x64` profile from now on.
This challenge is pretty tricky, the only clue it gave us only
```
Since i'm a geek, i hide my secrets in weird places
```
That's it. In a computer, where do geeks hid their secrets? It's a pretty vague, I didn't have any clue on what to do. So I see what might a geek do in their computer. Several failed attempts, I discovered a `printkey` command on Volatility. I naively use the command by entering:
```
python vol.py -f ../../FWord/foren.raw --profile=Win7SP1x64 printkey
```
This command outputs every registry entered to the system and its subkeys. So it printed out all the registry.
```
...
Registry: \Device\HarddiskVolume1\Boot\BCD
Key name: NewStoreRoot (S)
Last updated: 2020-08-26 09:10:18 UTC+0000
Subkeys:
(S) Description
(S) Objects
Values:
----------------------------
Registry: \??\C:\Users\SBA_AK\ntuser.dat
Key name: CMI-CreateHive{D43B12B8-09B5-40DB-B4F6-F6DFEB78DAEC} (S)
Last updated: 2020-08-26 09:11:20 UTC+0000
Subkeys:
(S) AppEvents
(S) Console
(S) Control Panel
(S) Environment
(S) EUDC
(S) FLAG
(S) Identities
(S) Keyboard Layout
(S) Network
(S) Printers
(S) Software
(S) System
(V) Volatile Environment
Values:
----------------------------
Registry: \??\C:\Users\SBA_AK\AppData\Local\Microsoft\Windows\UsrClass.dat
...
```
One particular registry has a FLAG subkey which obviously interesting. So I ran `hivelist` command to get the virtual offset of the registry location to print the subkey value:
```
python vol.py -f ../../FWord/foren.raw --profile=Win7SP1x64 hivelist
```
```
...
0xfffff8a0014da410 0x00000000275c0410 \SystemRoot\System32\Config\SAM
0xfffff8a0033fe410 0x0000000069de6410 \??\C:\Users\SBA_AK\ntuser.dat
0xfffff8a0036e7010 0x0000000069188010 \??\C:\Users\SBA_AK\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a0038fe280 0x0000000068390280 \??\C:\System Volume Information\Syscache.hve
...
```
Now to print the flag:
```
python vol.py -f ../../FWord/foren.raw --profile=Win7SP1x64 printkey -o 0xfffff8a0033fe410 -K 'FLAG'
```
`-o` for the virtual offset of the registry which we got from `hivelist`, and `-K` to tell which subkey we would like to see the value.
```
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \??\C:\Users\SBA_AK\ntuser.dat
Key name: FLAG (S)
Last updated: 2020-08-25 18:45:05 UTC+0000
Subkeys:
Values:
REG_SZ : (S) FwordCTF{hiding_secrets_in_regs}
```
After this solved, it just started to make sense that "Geeks" like to bother up with "registry". Well if you messing with any system you're technically also a "Geek"...