We’re testing our Memory Analysis package (currently in beta) against various challenges available online.
We found this challenge on the Memory Forensic site, so credit goes to them for highlighting it and to the BlackHat MEA Team for creating it in the first place. The challenge can be downloaded directly from here.
The scenario is as follows:
“My work PC has suddenly crashed. I can no longer retrieve my secret file, also I don’t remember the password. It is a hard password and securely generated, but I saved it locally. Can you help me recover the content?”
Although it’s not commonly done, examining the registry keys for installed software can be useful. On virtual machines prepared for CTF challenges, there’s usually only software related to the challenge. This was also the case here: we noticed the presence of WinRAR and checked the user key associated with it to look for recent archives. There, we indeed found a file of interest.