GVTs - wearegvts.com
OtterCTF - Memory Forensics - “Play Time”
Volatility is a useful tool for memory forensics.
First, we need to get the profile:
./vol.py -f OtterCTF.vmem imageinfo
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
We need to look into the connections of this host.
./vol.py -f OtterCTF.vmem --profile=Win7SP1x64 netscan
You’ll see a bunch of connections. But one of them is what we are looking for:
0x7d6124d0 TCPv4 192.168.202.131:49530 22.214.171.124:7575 CLOSED 708 LunarMS.exe
So flags are: