Reverse engineering, Windows internals, x86 magic, low level programming, and everything else I feel like writing about.

CrySyS SecChallenge 2020: The memories I treasure

Can you find and extract some rogue and dark information in my memory? You might want to use the Pensieve at Hogwarts.

Download the image from this link: <memory.raw>

Categories

Forensics, Volatility

Solution

Apparently this one wasn’t meant to be this easy:

$ strings memory.raw | grep cd20{
cd20{REDACTED}