Tags: memorydump volatility forensic
Rating: 3.0
$ ./vol2 -f /mnt/hgfs/CTF/CTF-events/2024/knightctf/forensic/KnightSquad.DMP --profile=Win7SP1x64_23418 filescan | grep .bat
Volatility Foundation Volatility Framework 2.6
0x00000000b947d870 16 0 R--r-- \Device\HarddiskVolume2\Windows\System32\drivers\compbatt.sys
0x00000000b947e780 16 0 R--r-- \Device\HarddiskVolume2\Windows\System32\drivers\battc.sys
0x00000000b983d820 2 0 -W---- \Device\HarddiskVolume2\$Recycle.Bin\S-1-5-21-3042789274-2628191860-436916936-1001\$INPNSNE.bat
0x00000000b9932590 2 0 RW-rw- \Device\HarddiskVolume2\Users\siam\Documents\windows.bat
0x00000000ba11bd10 11 0 R--r-d \Device\HarddiskVolume2\Windows\System32\batmeter.dll
0x00000000ba3a7420 16 0 R--r-- \Device\HarddiskVolume2\Windows\Fonts\batang.ttc
opened windows.bat by 'cat' to verify that this file contains previous flag.
Flag format was: KCTF{D:\Program Files\Windows\here}
So the flag is: KCTF{C:\Users\siam\Documents}