The Book

Prompt

We have obtained a live system memory dump from a hacker's computer before it fried itself. The hacker was looking at a suspicious document. Can you retrieve the lost information?

Walk-Through

This challenge requires you to analyze a memory dump to determine what programs and software were running at the time that the memory dump was taken.

Before starting, decompress the challenge file as it is currently compressed using .xz compression. Run the command xz -d memdump.mem.xz to get a memdump.mem file to work with.

To conduct the memory analysis, you’ll need to download the tool Volatility available at https://github.com/volatilityfoundation/volatility3.

Commands using Volatility may take a few moments to complete.

The operating system (OS) that this memory dump was taken from needs to be identified before Volatility can be used efficiently. Unlike Volatility2, Volatility3 no longer needs profiles to determine what operating system settings to use. However, it can still be very helpful to know what system’s memory you are going to be looking at.

Using file memdump.mem can help answer what OS the memory dump was taken from.

file memdump.mem
memdump.mem: Windows Event Trace Log

To verify your work, you can use Volatility to print out the memory dump’s OS information using

./vol.py -f ./memdump.mem windows.info.Info
💡

Be sure to use the correct file paths for vol.py and the memdump.mem files when using this command. vol.py will be in the Volatility3 directory. You can move the memdump.mem file into the Volatility3 folder to complete the analysis from the same directory.

Notice the additional information gained from running
Notice the additional information gained from running ./vol.py -f ./memdump.mem windows.info.Info . This output confirms the memdump.mem file is a memory dump from a Windows OS.

To understand more about the name of the computer and the username use the windows.envars.Envars option. This tells Volatility to extract the Windows environmental variables from the memory dump which contains a COMPUTERNAME variable. The username will also be present in the environmental variables as there will be fields referencing C:\Users\ .

./vol.py -f ./memdump.mem windows.envars.Envars
This is a partial output of
This is a partial output of ./vol.py -f ./memdump.mem windows.envars.Envars . The answers have been redacted. There is also a field ‘USERNAME’ that is not pictured which contains the username.

The windows.filescan.FileScan option tells Volatility to scan for all file objects present in the memory dump and list them out. This will help identify file paths of files and will present a file address that can be used to examine individual files.

./vol.py -f ./memdump.mem windows.filescan.FileScan
This is a partial output of
This is a partial output of ./vol.py -f ./memdump.mem windows.filescan.FileScan . You may notice some non-English characters in your output. These may exist due to an encoding mis-match.

To find a file of interest, it would make sense to look in the user’s files. Use grep to find files with the user’s name found for a previous question: ./vol.py -f ./memdump.mem windows.filescan.FileScan | grep "<AddUser'sName>" .

The file address, file name, and user’s name have been redacted from this partial output.
The file address, file name, and user’s name have been redacted from this partial output.

To see if the content of the file is ‘interesting’, use the following command to extract the contents of the file:

./vol.py -f ./memdump.mem -o ./output windows.dumpfiles.DumpFiles --virtaddr [file address]
The windows.dumpfiles.DumpFiles option tells Volatility to extract the file content and the -o option specifies the directory to output the file extraction. The --virtaddr option will reference the file address of the file of interest that you scanned in the previous step (the file address starts with 0xe000).
💡

Be sure to create or specify your own directory to output the file extraction to before running the command. Two files will be created there. You can use either to solve the challenge about liber8’s real name.

The file of interest in this case is actually a SQLite database file. You can open the database file using tools such as SQLite Browser and peruse the database tables to identify the real name of the “cloud” user.

If you have SQLite installed you can print the tables there to find the answer as shown. The answer has been redacted.
If you have SQLite installed you can print the tables there to find the answer as shown. The answer has been redacted.

Lastly, to identify the password, use Volatility once again to run the following command:

./vol.py -f ./memdump.mem windows.registry.hashdump.Hashdump

The windows.registry.hashdump.Hashdump option tells Volatility to extract all the NTLM hashes for the users present in the memory dump.

If there is an error, there are ways to resolve this. Add -vv to the end of the Volatility command to get verbose output on what’s causing an error. If there is a debug line mentioning ‘Crypto’, it means Volatility is missing the pycryptodome module.

pip3 install pycryptodome
This is a partial output of
This is a partial output of ./vol.py -f ./memdump.mem windows.registry.hashdump.Hashdump . The answer is partially redacted.

Use any NTLM password cracking tool to retrieve the plaintext of the password. Of note, the password is a simple one and does not require extensive hardware to successfully crack.

Sites like https://crackstation.net/ can be used to obtain the plaintext.

This is output from
This is output from crackstation.net . The resulting plaintext has been partially redacted.

Questions

1. What operating system was this dump taken from?

2. What is the name of the computer?

3. What is the name of the user that was logged in?

4. What is the full filepath and file of the file in interest?

5. What is the real name of "cloud"?

6. What is the password of the currently logged in user?

©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.