SCP 2.0
Memory analysis (using mftparser plugin)
Description
Site-19 has been breached by the Chaos Insurgency following the breach of Site-[REDACTED]. All personnel is required to follow Procedure-15A.
Attachment: Procedure-15A.pdf, memdump.raw
Solution
The given PDF file contains the rules that should be followed by SCP Foundation.
Another given file is a memory dump file which means that we have to do a memory analysis on it. I use Volatility 2 which can be found here.
imageinfo
For Volatility 2, we have to choose the correct profile before starting to analyze the memory dump file. It needs to know what kind of system the memory dump file is from so that it can further analyze it and come out with the correct output (source). Therefore, we can use imageinfo
to find the suggested profile.
There are several suggested profiles for this memory dump. We can try starting with the first suggested profile. If the output is unreadable, change another profile and try again.
pslist
Normally for memory dump analysis, the first thing that we will do is to analyze the processes of the system. pslist
plugin shows all the processes ran in the system. However, do note that it does not show the hidden processes (psscan
can show hidden processes).
Image above shows part of the pslist
output. However, after analyzing all the processes, there are no malicious process that grabs our attention.
Reanalyzing the question
The PDF file mentions data like documentation, images, and videos. This gives us an idea to search for available files in the memory.
filescan
We can use filescan
command to list all the files. However, if we run this command, there will be a lot of output, and it takes time to go through. In DFIR, analyzing is about knowing what to search for and narrowing your scope. Since "documentation" is mentioned, we can try to search for documents, or "doc".
We can try to use grep
command to search for strings, and -i
allows us to search for strings case-insensitively so that it can show both uppercase and lowercase outputs.
Based on the output, SCP-055.doc
looks suspicious. We can try to dump it out and see what's inside.
dumpfiles
We can use dumpfiles
command to dump the file by specifying the physical address using -Q
and the output directory using --dump-dir
.
Then, go to the output directory and rename the file.
After trying several methods to view the file, we will find out that we can view it using strings
command.
We can see that there is a flag.txt
file, but we have no clue how to get it. Let's reanalyze the question again.
Reanalyzing the question 2
Looking back on the PDF file, we can see that it says all data must be eradicated (removed). This kind of gives us a hint where we can try to search for deleted files.
mftparser
We can scan for deleted files using mftparser
. However, there will be a large chunk of output so I chose to save the output in mft.txt
file.
However, we are still unable to get anything if we find for "flag.txt". Therefore, we can try searching for only "txt".
This file was found in Recycle Bin and we are able to read the content of the file. The content has a long and suspicious string which seems to be a base64 encoded string.
In CTF competitions, whenever there is base64 encoded string, decode it might give you a surprise!
Decode it and we will get the flag.
Alternative Method
After the competition, the challenge creator gave me another solution which I think is a faster way to search for the file. Since it is about deleted file, we can try to search for Recycle Bin.
Thanks to the challenge creator who gave me a better solution!
Flag
ABOH23{C0NT41nm3Nt_Breach_8Y_M@cr0$}
Last updated