CTF writeups

forensic

Kaspersky CTF – help (Forensic 500)

We were given a memory dump; First we’ll get image info to understand the image type:   It is Windows 7 x64. As usual we check running processes to find possible suspicious ones: There are only two suspect processes: ‘Keepass.exe’ and ‘Cmd.exe’; The first one interested me more and probably I should try to find ‘kdbx’ or ‘kdb’ file, so I scanned for file lists to get something to start: Read More