Forensics (criminology) tasks in Capture The Flag competitions are divided into several large types: analysis of RAM, hard disk, and traffic dumps. In this article, we will analyze the Remote Password Manager memory analysis task from the JustCTF 2021 competition, and at the same time we will look at a little-known but very useful feature of GIMP.
More interesting data can be found in the paging files (pagefile.sys) and hibernation (hiberfil.sys). For *nix-based systems, you should look in the swap partition.
There are several applications for analyzing memory dumps that are well known to everyone who has ever dealt with forensic tasks: these are Volatility , Memoryze and Autopsy(in conjunction with Volatility). There are, of course, others, but we will not dwell on them in detail.
Large solutions like Autopsy are good because they allow you to perform a complex analysis of the entire impression with one button, but the price for this is a long program runtime. In competitions, it is usually necessary to complete the task as quickly as possible, so we will use Volatility.
Approximate translation:
Let's upload our image to the machine where we will analyze (I have Kali):
WHAT DO WE DO?
RAM analysis is often used when we had physical access to the machine and managed to take a snapshot of the RAM. It can be used to determine which applications were launched during this session, because until the person turned off or restarted the computer, information of interest to us (for example, process data) is stored in RAM.More interesting data can be found in the paging files (pagefile.sys) and hibernation (hiberfil.sys). For *nix-based systems, you should look in the swap partition.
There are several applications for analyzing memory dumps that are well known to everyone who has ever dealt with forensic tasks: these are Volatility , Memoryze and Autopsy(in conjunction with Volatility). There are, of course, others, but we will not dwell on them in detail.
Large solutions like Autopsy are good because they allow you to perform a complex analysis of the entire impression with one button, but the price for this is a long program runtime. In competitions, it is usually necessary to complete the task as quickly as possible, so we will use Volatility.
TASK
Here is what the condition of the task looked like. We are given directly a cast of RAM and its MD5 hash for verification.
Approximate translation:
Let's upload our image to the machine where we will analyze (I have Kali):