The analysis will be conducted on the given 'foren.raw' file in the previous step.
We already know OS information (imageinfo), so let's check the list of processes through 'pslist'.
.\volatility_2.6_win64_standalone.exe -f foren.raw --profile=Win7SP1x64 pslistThe problem texts "had a secret association" and "on Internet" give us a hint to analyze "chrome."
We will run 'yarascan' through the PID of the 'chrome.exe' in 'pslist', also we will search for strings that contain flag format together.
-Y option: string "FwordCTF{"
-p option: PID of 'chrom.exe'
.\volatility_2.6_win64_standalone.exe -f foren.raw --profile=Win7SP1x64 yarascan -Y "FwordCTF{" -p 3700,3752,2560,3304,3304,3528,616,540,3816,2516,3992Then you can see the flag.
flag: FwordCTF{top_secret_channel}
728x90
'Wargame > CTF' 카테고리의 다른 글
| Affinity CTF Lite 2020_Forensics (0) | 2020.11.18 |
|---|---|
| DUCTF 2020 Forensics (3) (0) | 2020.09.30 |
| FwordCTF 2020 - Memory (Forensics) (0) | 2020.08.30 |
| InCTF 2020 Forensics_Investigation Continues (0) | 2020.08.10 |
| InCTF 2020 Forensics_LOGarithm (0) | 2020.08.09 |