Memlabs Lab 4 Writeup

Problem : My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me.

Solution : Running volatility filescan with grep for .txt files gives a suspicious looking important.txt file. However dumping the file using dumpfile plugin does not work.

Running pslist gives a StikyNot.exe process. Running file scan with grep for .snt gives a StickyNotes.snt file which contains the text

The clipboard plugin works well but it doesn’t give the flag

Searching for recovery of deleted data on volatility yields results related to mftparser. Using the plugin with grep for important.txt gives the flag.

inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3} Good work :P