Forensics_Investigation
The problem seems to be long, but we just should get Adam's last time using the Windows calculator and the number of times he used Google Chrome.
The given file as a problem, is "Investment.7z". You can get the "Windows.vmem" file when you extract it.
The 'vmem' file is a backup file of VM Ware's paging files that is volatile and can only be viewed during or paused virtual machine operations.
1. See imageinfo using Volatility
2. I found a plug-in called 'userassist' while looking at the last run time and number of runs, and I printed it out immediately on investment.txt.
(1) When I searched for 'calc' in the txt file, I found one search result and I could see the last time I ran it.
Last updated: 2020-07-21 18:21:35 UTC+0000
(2) I also searched for 'chrome', and a total of three search results came out.
The number of runs was found in the first search result.
Count: 19
The second and third was the lnk file, which is simply 'shortcut'. It can be confirmed that the two shortcut routes were executed 16 times, 3 times. Therefore, it can be seen that the total number of times the Chrome browser has been run is 19.
3. Verify
'Wargame > CTF' 카테고리의 다른 글
| InCTF 2020 Forensics_Investigation Continues (0) | 2020.08.10 |
|---|---|
| InCTF 2020 Forensics_LOGarithm (0) | 2020.08.09 |
| RACTF 2020: Dimensionless Loading, Disk Forensics Fun (0) | 2020.06.13 |
| IOLI crackme 0x00 ~ 0x05 (0) | 2020.04.19 |
| 2020 AUCTF (2) | 2020.04.11 |