Captured Memories

Challenge:

We found some unusual activity coming from an employee's Windows 10 workstation at De Monne Financial. Our IT guy saved the memory dump to the file provided below. What was the PID of the program used to capture the memory dump? Submit the flag as flag{PID}.

Max Attempts: 10

Solution:

As the challenge description states, the Zip archive contained a memory dump file named mem.raw. The given task is to identify the PID of the memory capture utility so I use Volatility to produce a process list:

$ vol.py -qf mem.raw windows.pslist.PsList

Looking though the output I find the utility as the bottom of the list, WinPmem is an Open Source memory acquisition tool.

PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	Dumped
3348	784	winpmem_v3.3.r	0x87868f2e1080	5	-	1	True	2020-06-26 15:51:36.000000 	N/A	False

Its PID was 3348 making the complete flag, flag{3348}.