Tags: forensics volatility gimp memory_dump 


The challenge consists of a single vmem file (VM memory dump).
After some analysis, one of the things that stand out was that the mstsc.exe process was running.
After a little bit of poking around, the flag could be found in one of the images preserved in the process memory.

Original writeup (https://billith.github.io/posts/justctf-2020-remote-password-manager/).