CTF : Memory Forensics

CTF Memory Forensics writeup. Source THM. Announced difficulty level: Easy

Posted by Boula-Bytes on 21 July 2022

CTF : Memory Forensics

Informations

  • IP: N/A
  • MYIP: 10.9.85.5

Use volatility to find John password

console
$ ~/bin/volatility/vol.py -f Snapshot6.vmem windows.hashdump.Hashdump        2
Volatility 3 Framework 2.3.0
Progress:  100.00       PDB scanning finished                        
User    rid lmhash  nthash

Administrator   500 aad3b435b51404eeaad3b435b51404ee    31d6cfe0d16ae931b73c59d7e0c089c0
Guest   501 aad3b435b51404eeaad3b435b51404ee    31d6cfe0d16ae931b73c59d7e0c089c0
John    1001    aad3b435b51404eeaad3b435b51404ee    47fbd6536d7868c873d5ea455f2fc0c9
HomeGroupUser$  1002    aad3b435b51404eeaad3b435b51404ee    91c34c06b7988e216c3bfeb9530cabfb

I use crackstation to perform crack.

Use volatility to find some informations

Last system shutdown

shell
~/bin/volatility/vol.py -f Snapshot19.vmem windows.registry.printkey.PrintKey --offset 0xf8a000024010 --recurse > tmp/registry.txt

Then:

shell
grep WindowsShutdownTime tmp/registry

What did john write ?

I needed to switch to volatility 2.6 because I didn't find any thing...

shell
vol.py consoles -f Snapshot19.vmem --profile Win7SP1x64

TrueCrypt Passphrase

shell
vol.py truecryptpassphrase -f Snapshot14.vmem --profile Win7SP1x64