You need to find out these three questions.
- The last time Adam entered an incorrect password to login
- The time when the file '1.jpg' opened
- The last time Adam used taskbar to launch Chrome
First, you need to see image information about this vmem file.
1. Goal: The last time Adam entered an incorrect password to login
.\volatility_2.6_win64_standalone.exe -f .\windows.vmem --profile=Win7SP1x64 hivelist
Among these, I will dump 'SAM' registry for find out Adam's logs about login.
SAM registry includes informations about local accounts and groups
.\volatility_2.6_win64_standalone.exe -f .\windows.vmem --profile=Win7SP1x64 dumpregistry -o 0xfffff8a0018f0410 -D ./
For analyze this .reg file, we will use 'RegistryExplorer'. Can download below link:
Eric Zimmerman's tools
ericzimmerman.github.io
And you can see when Adam entered last incorrect password, easily.
The route is SAM\Domains\Account\Users
flag_1: 22-07-2020_09:05:11
2. The time when the file '1.jpg' opened
For find out second flag, should dump 'ntuser.dat' registry.
And can see second flag where \Software\Microsoft\Windows\CurrentVersion\Explorer\ReceentDocs.
There it is.
Or you can use 'mftparser' plug-in through 1.lnk
lnk file, is simply 'shortcut'.
flag_2: 21-07-2020_18:38:33
3. The last time Adam used taskbar to launch Chrome
Just left last question. For this, should dump 'ntuser.dat', same registry.
And where \Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count, we can see the last flag.
flag_3: 21-07-2020_17:37:18
FLAG: 22-07-2020_09:05:11_21-07-2020_18:38:33_21-07-2020_17:37:18
'Wargame > CTF' 카테고리의 다른 글
| FwordCTF 2020 - Memory 2 (Forensics) (0) | 2020.08.31 |
|---|---|
| FwordCTF 2020 - Memory (Forensics) (0) | 2020.08.30 |
| InCTF 2020 Forensics_LOGarithm (0) | 2020.08.09 |
| InCTF 2020 Forensics_Investigation (0) | 2020.08.02 |
| RACTF 2020: Dimensionless Loading, Disk Forensics Fun (0) | 2020.06.13 |