👆 here we did profile scan of another memory dump file.

👆Here u can see that we used lsadump plugin, which gives default saved passwords.

👆 netscan plugin is used to scan all the connected devices to that device .

Now, we need to find the pc name .
WKT it is present in the system ( we learnt in windows registery section ) .
To find that using volatility ,
First we need to get the offset of system file.
Offset:- address

So we us hivelist plugin👇

Now we get the offset of system file,
WKT when we explore registry there were many directories, it may change for some pc. So we will go one by one directory using printkey plugin👇

By doing these step by step we will find the required file, I skipped 1 step, you do this by ur own👇

Sorry I forgot to tell the about captured memory file,
It's from otterctf.com
Login and see in memory forensics section

Or

Direct dwnld from

https://mega.nz/#!sh8wmCIL!b4tpech4wzc3QQ6YgQ2uZnOmctRZ2duQxDqxbkWYipQ

If u really have any doubts
Contact me
@Etf_Zan_bot ( bot )
@zincster ( id )
I will try to respond fast😐

There will CTF on April-May,
Those who will get passed ,will be chosen for private channel.

Ok hold your beers 🍻 guyz,
If you are following otterctf no worries,
If not I will begin with the question too.

1. In the above given dump file ( otterctf.vmem)
The user used to play a online game, and u need to find the game name and it's server ip address.

How will u do, think?

Answer:-
Do netscan using volatility

2.Silly rick always forgets his email's password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick's email password?


Answer :-
Use clipboard plugin

3. There's a malware in the dump file, now you need to track the malware.

Let's begin


Normally hackers make the malware to run in background, so let's check if there's any hidden processes using psxview plugin.

In most cases, both pslist and psscan will show False for malware, but here some special case😑