We’re testing our Memory Analysis package (currently in beta) against various challenges available online.
We found this challenge on the Memory Forensic site, so credit goes to them for highlighting it and to MemLabs for creating it in the first place.
The description is as follows:
“My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Note: This challenge is composed of 3 flags.”
We retrieve the first and third flags. The second flag requires extracting the raw image data from the mspaint process, and we leave it as an exercise for the reader.