Tags: volatility forensics
Rating:
Category : Forensic:minidisc:
Points : 425
Author : krn bhargav (Ryn0)
Team : Red-Knights:warning:
We need to do some classic forensic stuff on this mem dump, can you help us and check what is important there?
Dumpfile-259 MB (sorry for not uploading.)
We have a MS Windows 64bit crash dump,for this we have to use the tool Volatility3. Thanks to the authors for making our life easy.
During this ctf,I try everything to analyse this MEMORY.dmp but donot find anything ,finally i use this command.
vol.py -f MEMORY.dmp windows.lsadump
in this command we used the lsadump plugin to extract lsa secrets. and found flag
Flag : AFFCTF{f0rensic_w3ll_d0n3}
