- Extract Invalid Login timestamp from the windows registry.
- Extract the timestamp of when a JPEG was opened.
- Extract Google Chrome’s last run time which was pinned to taskbar from windows registry.
Challenge points: 872
No. of solves: 18
Challenge Author: stuxn3t
You can download the file from here: Google drive.
We are provided with a Windows memory dump. I’ll be using Volatility to analyze, extract relevant artefacts. I will also be discussing an alternate method to solve this challenge without using Volatility as well.
We shall use the
imageinfo plugin to find the profile of the memory dump
$ volatility -f windows.vmem imageinfo
So let us use the profile as
When was the last time Adam entered an incorrect password to login?
The windows registry hives store a lot of detail related to a user. Some of them include the
last invalid login etc… So, as far as the challenge is concerned, we need to dig up when Adam last entered an incorrect password.
So, first, we shall use volatility to list out the registry hives present in the memory.
$ volatility -f windows.vmem --profile=Win7SP1x64 hivelist
To collect the user account details, we dump the SAM registry hive.
$ volatility -f windows.vmem --profile=Win7SP1x64 dumpregistry -o 0xfffff8a0018f0410 -D .
We will use Eric Zimmerman’s
Registry Explorer to inspect the hive.
As noted from the above image, we can see that an incorrect password was last entered on
2020-07-22 09:05:11. Converting it to the format of the challenge gives
When was the file 1.jpg opened?
There are 2 approaches to answer this question. Since we are using the windows registry, I will discuss extracting the timestamp from the registry.
This timestamp can be found in the
RecentDocs subkey in the
So as highlighted in the above image the timestamp is
2020-07-21 18:38:33 and converting it the format gives
The alternate approach would be to use the
mftparser plugin and extract the timestamp.
$ volatility -f windows.vmem --profile=Win7SP1x64 mftparser | grep -C 5 "1.lnk"
We search for
.lnk files because they are created when a file is accessed. So that would be our best resource.
As you can see we get the same timestamp from both the resources.
When did Adam last use the taskbar to launch Chrome?
The question does not ask when chrome was last run but when was it last launched from the taskbar. We will use the same
NTUSER.DAT hive to collect the information.
The timestamp, in this case, would be
Concatenating the 3 answers gives us the final flag.
For further queries, please DM me on Twitter: https://twitter.com/_abhiramkumar
- Registry Explorer
- Volatility command reference