Introduction: The proportion of forensic questions in ctf is getting bigger and bigger. As a new ctf entrant, I have forensic questions almost every time I play a few ctf games. The previous games were also helpless, and I finally calmed down and got seriousA problem has been reproduced.

Installation of Volatility

The previous old version of kali has its own volatility, so it can be used directly, but the current version basically needs to be downloaded and installed by itself, mainly depends on the python environment installation, requires some libraries, it is recommended to use python3

Download link: https://www.volatilityfoundation.org/releases

After downloading, go to the root directory and run vol.py directly!

Title link:https://buuoj.cn/match/matches/3/challenges

Command

1. Query mirror information

python vol.py -f mem.raw imageinfo

2. View the mirroring process

python vol.py -f mem.raw --profile=Win7SP1x86 pslist 

You can view some suspicious processes here, there are three suspicious processes in this question

3. Example of dumping one of the processes

python vol.py -f mem.raw --profile=Win7SP1x86 memdump -p 3364 -D 

The process of dumping can be analyzed in detail

4. Check the dumped process for the existence of key, password, etc.

Example:

python vol.py -f mem.raw --profile=Win7SP1x86 pslist | find "mspaint.exe"

5. Common process names of windows

TrueCrypt.exe Disk encryption tool notepad.exe Comes with notepad mspaint.exe Comes with drawing tool iexplore.exe IE browser DumpIt.exe Memory image extraction tool

6. List the process table

python vol.py -f mem.raw --profile=Win7SP1x86 hivelist

7. Extract registry information

python3 vol.py -f mem.raw --profile=Win7SP1x86 hivedump -o 0x82a9fb38

8. Get IE browser history

python vol.py -f mem.raw --profile=Win7SP1x86 iehistory

9. List username and password

python vol.py -f mem.raw --profile=Win7SP1x86 printkey -K "SAM\Domains\Account\Users\Names"

10. Get the username and password of the last logged-in user

python vol.py -f mem.raw --profile=Win7SP1x86 printkey -K "SOFTWARE\Microsoft\Windows Nt\CurrentVersion\Winlogon"

11. View cmd command

python vol.py -f mem.raw --profile=Win7SP1x86 cmdscan

12. View cmd details

python vol.py -f mem.raw --profile=Win7SP1x86 cmdline

13. Copy, cut version

python vol.py -f mem.raw --profile=Win7SP1x86 clipboardpython vol.py -f mem.raw --profile=Win7SP1x86 dlllist -p 3820

Note: If there are other commands in the future, it will continue to be updated