~$ Advent of Cyber 2022 - Day 11

Posted on Dec. 11th, 2022. | Est. reading time: 2 minutes

Blue Team: Memory Forensics

Question 1

What is the Windows version number that the memory image captured?

We run python3 vol.py -f workstation.vmem windows.info:

Screenshot of volatility's output.Oh no... not Windows.

Answer: 10

Question 2

What is the name of the binary/gift that secret Santa left?

We run python3 vol.py -f workstation.vmem windows.pslist:

Screenshot of volatility's output.I looooove gifts.

Answer: mysterygift.exe

Question 3

What is the Process ID (PID) of this binary?

We check the associated column.

Answer: 2040

Question 4

Dump the contents of this binary. How many files are dumped?

We run python3 vol.py -f workstation.vmem windows.dumpfiles --pid 2040 and then count the number of results.

Screenshot of volatility's output.There probably was a programatic solution to count the number of lines.

Answer: 16