GVTs - wearegvts.com
OtterCTF - Memory Forensics - “Hide And Seek”
Volatility is a useful tool for memory forensics.
First, we need to get the profile:
./vol.py -f OtterCTF.vmem imageinfo
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
We need to look into process tree:
./vol.py -f OtterCTF.vmem --profile=Win7SP1x64 pstree
There is something looks odd:
. 0xfffffa801b486b30:Rick And Morty 3820 2728 4 185 2018-08-04 19:32:55 UTC+0000
.. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000
There is a process running “Rick And Morty” and it has a child process under it.
That must be that we are looking for.