10.12.2018


GVTs - wearegvts.com
OtterCTF - Memory Forensics - “Hide And Seek”

Volatility is a useful tool for memory forensics.

First, we need to get the profile:
./vol.py -f OtterCTF.vmem imageinfo
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418

We need to look into process tree:
./vol.py -f OtterCTF.vmem --profile=Win7SP1x64 pstree

There is something looks odd:
. 0xfffffa801b486b30:Rick And Morty                  3820   2728      4    185 2018-08-04 19:32:55 UTC+0000
.. 0xfffffa801a4c5b30:vmware-tray.ex                 3720   3820      8    147 2018-08-04 19:33:02 UTC+0000

There is a process running “Rick And Morty” and it has a child process under it.
That must be that we are looking for.

Flag is:
CTF{vmware-tray.exe}