# Ermittlung - InCTF Internationals 2021

tl;dr

• Finding Chat application
• Extract unread message count from NTUSER.dat.
• Extract the last executed timestamp of the chat application.
• Extract the Version of the chat application.

Challenge Points: 140
Challenge Solves: 45
Challenge Author: g4rud4

## Challenge Description

MD5 Hash: ermittlung.raw 110305F3CF71432B4DFAFD1538CDF850

## Initial Analysis

We are given with a memory dump. So let us find out the profile.

### Finding Profile

I will be using WinXPSP2x86, as the profile for this challenge.

### Scanning active processes

As we don’t know what all processes were running during the memory capture. Let us check the active processes in the system for better understanding.

We observe firefox.exe, msimn.exe are running.

### Listing Firefox history

Let us use firefoxhistory plugin to check any suspicious url. You can get this from superponible github repo.

Well there is nothing much in it which we can make use of.

1. What is the name of the chat application program?

### Finding chat application

We found msimn.exe, which a quick Google search or via using the plugin cmdline, we can find, this excutable is part of Outlook Express.

Other than this, we couldn’t find any other chat applications running on the system. We got our answer to the 1st question. Which is Outlook Express

We got the name of the chat application. Now, let us find out when was the last time this application executed.

1. When did the user last used this chat application?

### Finding Last execution time

We can find answer for this in 2 ways, One by checking the start time from the pslist and another from registry.

#### Registry

Using UserAssist from NTUSER.dat, we can also find the last executed time of Outlook Express. Let us use userassist plugin.

As highlighted, we get the last execution time as 2020-07-27 12:26:17. Converting that to the format mentioned in the description would result in 27-07-2020_12:26:17.

1. How many unread messages are there in the chat application that the user is using?

### Finding message count

We find the message count from NTUSER.dat registry hive. Let us dump the NTUSER.dat registry hive.

To dump the registry hive, 1st we need to find the virtual address of the NTUSER.dat. For that we can use hivelist plugin and list all hives.

NTUSER.dat is located at 0xe1aa5b60 offset, now we can use dumpregistry plugin to dump the registry hive.

We can use our preferred registry viewer to open the dumped registry hive.

We can got to this Software\Microsoft\Windows\CurrentVersion\UnreadMail\ hive, where we can find the count of unread messages under the email used in Outlook Express.

From the register, we get Message Count as 4.

Note: We can also use volatility’s printkey plugin to retrieve the Message Count from registry.

1. What is the current version of the chat application that’s being used?

### Finding version of chat application

Version that the chat application is using can be found in NTUSER.dat or by dumping the process from memory and checking out the little endian strings.

#### From Registry

As we have already dumped NTUSER.dat registry hive, we can got this Software\Microsoft\Outlook Express\5.0\Shared Settings\Setup hive, and the sub-key MigToLWPVer gives us the version of the chat application being used on the system.

#### From Process dump

From the pslist we can see that the executable is running at PID 2132. We can use procdump plugin and dump the process.

Now, we can use strings commands, to get all the little endian strings from the dumped executable.

As highlighted, the version of the application is 6.0.2900.5512.

## Flag

Concatinating all answer, we can get the flag.

inctf{Outlook_Express_27-07-2020_12:26:17_4_6.0.2900.5512}