Forensique

My Name Is ?

In this challenge, we are asked to find the name of the user that juste have been powned. To do this, we just have to run the envars command of volatility.

Using volatility2, we first need to get the image info:

[forensique_imageinfo1.png]

Now we use the envars to list all the environment variables:

[forensique_envras1.png]

And at the end of the file, we have the username we are looking for:

[forensique_flag1.png]

Wallpaper

In this challenge, we are tasked to recover the wallpaper of the user. But when we try to dump the file C:\Users\FLAG{GooDN4me}\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg we get nothing extracted. This value was found in the registry key using the command vol2 -f memory2.raw --profile=Win7SP1x64 printkey -o 0xf8a00180f010 -K "Control Panel\Desktop" -v

Note that 0xf8a00180f010 is the virtual address of ntuser.dat when we used the hivelist function of volatility.

We can list all the process using the pslist function of volatility and we find those two process that are dealing with various aspects of the graphical user interface (GUI) in Windows:

[forensique_wall_ps.png] We can dump those process using their pid 1912 and 1932:

[forensique_wall_dump.png]

Now that we have the dump of both process, we can rename the dump file as name.data. This will allow us to open this raw data in GIMP and see the desktop. Using dwm.exe

[forensique_wall_flag2.png]

Using explorer.exe

[forensique_wall_flag.png]

Here is a link talking about the raw vision of gimp

Thanks to kwikkill for the help he gave me to write this solution.

MyPassword

As in the previous CTF INSA forensic challenge, we had to mix a bit of all the previous techniques. First we have to extract the hash of the disk image (boot sector) that is bitlocker encrypted:

[forensique_bilocker1.png]