Sierra Leone - Simple Forensic
I'm unable to provide the files as they are too big. However, you may be able to download them from the organiser's google drive links here and here.
I started out by using volatility to inspect the processes running within the memory dump:
vol -f ./memdump.mem windows.pslist
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xbe077a092040 148 - N/A False 2025-09-10 06:56:09.000000 UTC N/A Disabled
108 4 Registry 0xbe077a099080 4 - N/A False 2025-09-10 06:56:04.000000 UTC N/A Disabled
388 4 smss.exe 0xbe077ae4d040 2 - N/A False 2025-09-10 06:56:09.000000 UTC N/A Disabled
504 480 csrss.exe 0xbe077b007080 12 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
580 480 wininit.exe 0xbe077bc6f080 1 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
588 572 csrss.exe 0xbe077bc74140 15 - 1 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
688 572 winlogon.exe 0xbe077bce4080 5 - 1 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
720 580 services.exe 0xbe077bd190c0 7 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
740 580 lsass.exe 0xbe077bd2c080 10 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
872 720 svchost.exe 0xbe077bd8d280 11 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
892 580 fontdrvhost.ex 0xbe077bddb180 5 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
900 688 fontdrvhost.ex 0xbe077bdd9180 5 - 1 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1004 720 svchost.exe 0xbe077ca11300 11 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
440 720 svchost.exe 0xbe077ca84280 5 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1036 720 svchost.exe 0xbe077cb0d340 7 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1084 720 svchost.exe 0xbe077cb0f2c0 1 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1092 720 svchost.exe 0xbe077cb63340 3 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1164 688 dwm.exe 0xbe077cb41080 14 - 1 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1180 688 LogonUI.exe 0xbe077cb430c0 0 - 1 False 2025-09-10 06:56:10.000000 UTC 2025-09-10 06:56:36.000000 UTC Disabled
1196 720 svchost.exe 0xbe077cb45300 4 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1256 720 svchost.exe 0xbe077cbae340 5 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1388 720 svchost.exe 0xbe077cc130c0 7 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1456 720 svchost.exe 0xbe077cc88300 6 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1476 720 svchost.exe 0xbe077ccab300 2 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1500 720 svchost.exe 0xbe077cc35080 4 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1552 720 svchost.exe 0xbe077ccea300 3 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1568 720 svchost.exe 0xbe077ccc92c0 3 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1576 720 svchost.exe 0xbe077ccca080 3 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1696 720 svchost.exe 0xbe077cd43280 7 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1716 4 MemCompression 0xbe077cd42040 22 - N/A False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1756 720 svchost.exe 0xbe077cd65300 6 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1768 720 svchost.exe 0xbe077cd85080 2 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1868 720 svchost.exe 0xbe077ce3b340 1 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1880 720 svchost.exe 0xbe077ce3c080 2 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1892 720 svchost.exe 0xbe077ce3d080 6 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
1468 720 svchost.exe 0xbe077cf26300 12 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
2172 720 svchost.exe 0xbe077a08e300 7 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
2180 720 svchost.exe 0xbe077cfc8300 9 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
2188 720 svchost.exe 0xbe077a0a20c0 3 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
2216 720 svchost.exe 0xbe077a12b080 4 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
2288 720 svchost.exe 0xbe077a0e7080 2 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
2412 720 spoolsv.exe 0xbe07800c80c0 7 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
2424 720 svchost.exe 0xbe07800c1340 5 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
2476 720 svchost.exe 0xbe077a17c080 12 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
2512 720 svchost.exe 0xbe077a16f080 5 - 0 False 2025-09-10 06:56:10.000000 UTC N/A Disabled
2720 720 svchost.exe 0xbe077a164080 22 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2728 720 svchost.exe 0xbe077a162080 9 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2736 720 svchost.exe 0xbe077a084080 10 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2744 720 svchost.exe 0xbe077bcda300 1 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2760 720 MpDefenderCore 0xbe07801a9080 10 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2768 720 svchost.exe 0xbe07801a6300 16 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2780 720 VGAuthService. 0xbe07801a8340 2 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2788 720 svchost.exe 0xbe07801a7080 3 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2812 720 vmtoolsd.exe 0xbe07801ad2c0 11 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2820 720 vm3dservice.ex 0xbe07801ab280 2 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2860 720 MsMpEng.exe 0xbe0780194080 27 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2868 720 svchost.exe 0xbe0780193280 4 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
2904 720 svchost.exe 0xbe078022f280 6 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3040 2820 vm3dservice.ex 0xbe07802d4080 2 - 1 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3056 720 svchost.exe 0xbe07802d7300 5 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3236 720 svchost.exe 0xbe07803a1300 2 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3364 720 svchost.exe 0xbe07803d2080 11 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3384 1696 sihost.exe 0xbe078039f300 8 - 1 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3456 720 SearchIndexer. 0xbe07804b0280 16 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3544 720 svchost.exe 0xbe0780506080 10 - 1 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3788 720 svchost.exe 0xbe0780564300 4 - 1 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3828 720 dllhost.exe 0xbe078058c2c0 10 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3928 1388 taskhostw.exe 0xbe078062a080 9 - 1 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3944 1388 MicrosoftEdgeU 0xbe078061f080 4 - 0 True 2025-09-10 06:56:11.000000 UTC N/A Disabled
4028 720 svchost.exe 0xbe0780623300 2 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3808 872 WmiPrvSE.exe 0xbe07805e62c0 12 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3724 872 dllhost.exe 0xbe07805d62c0 5 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
3876 720 svchost.exe 0xbe078084b2c0 3 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
4244 3876 ctfmon.exe 0xbe078089d0c0 16 - 1 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
4324 720 svchost.exe 0xbe0780925300 8 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
4364 688 userinit.exe 0xbe078093c080 0 - 1 False 2025-09-10 06:56:11.000000 UTC 2025-09-10 06:56:32.000000 UTC Disabled
4428 4364 explorer.exe 0xbe078093a080 88 - 1 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
4592 720 svchost.exe 0xbe0780a3b300 5 - 0 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
4824 720 svchost.exe 0xbe07805df300 7 - 1 False 2025-09-10 06:56:11.000000 UTC N/A Disabled
4980 720 msdtc.exe 0xbe0780c082c0 9 - 0 False 2025-09-10 06:56:12.000000 UTC N/A Disabled
5208 2736 AggregatorHost 0xbe07803d0080 2 - 0 False 2025-09-10 06:56:12.000000 UTC N/A Disabled
5284 872 StartMenuExper 0xbe0780c7e080 8 - 1 False 2025-09-10 06:56:12.000000 UTC N/A Disabled
5352 872 RuntimeBroker. 0xbe0780d96340 1 - 1 False 2025-09-10 06:56:12.000000 UTC N/A Disabled
5480 872 SearchApp.exe 0xbe077a0eb080 71 - 1 False 2025-09-10 06:56:12.000000 UTC N/A Disabled
5676 872 RuntimeBroker. 0xbe0780fa8340 12 - 1 False 2025-09-10 06:56:12.000000 UTC N/A Disabled
6020 872 LockApp.exe 0xbe0781289080 11 - 1 False 2025-09-10 06:56:13.000000 UTC N/A Disabled
6100 872 RuntimeBroker. 0xbe07812de340 3 - 1 False 2025-09-10 06:56:13.000000 UTC N/A Disabled
5768 720 svchost.exe 0xbe078114e300 2 - 0 False 2025-09-10 06:56:13.000000 UTC N/A Disabled
6844 720 svchost.exe 0xbe078082a080 1 - 0 False 2025-09-10 06:56:14.000000 UTC N/A Disabled
6948 720 svchost.exe 0xbe0781457340 4 - 0 False 2025-09-10 06:56:14.000000 UTC N/A Disabled
6396 720 NisSrv.exe 0xbe0781463080 7 - 0 False 2025-09-10 06:56:16.000000 UTC N/A Disabled
6596 872 RuntimeBroker. 0xbe07816230c0 2 - 1 False 2025-09-10 06:56:22.000000 UTC N/A Disabled
6688 4428 SecurityHealth 0xbe0780d7d0c0 1 - 1 False 2025-09-10 06:56:23.000000 UTC N/A Disabled
6704 720 SecurityHealth 0xbe0780d8a2c0 6 - 0 False 2025-09-10 06:56:23.000000 UTC N/A Disabled
6828 4428 vmtoolsd.exe 0xbe0780fe8080 8 - 1 False 2025-09-10 06:56:23.000000 UTC N/A Disabled
2104 4428 msedge.exe 0xbe0781541300 0 - 1 False 2025-09-10 06:56:24.000000 UTC 2025-09-10 10:48:19.000000 UTC Disabled
7724 720 svchost.exe 0xbe078192e080 3 - 0 False 2025-09-10 06:56:25.000000 UTC N/A Disabled
7952 720 svchost.exe 0xbe0780a7e340 7 - 0 False 2025-09-10 06:56:31.000000 UTC N/A Disabled
8080 872 TextInputHost. 0xbe078181e080 17 - 1 False 2025-09-10 06:56:36.000000 UTC N/A Disabled
1296 872 ApplicationFra 0xbe0781909080 5 - 1 False 2025-09-10 06:57:01.000000 UTC N/A Disabled
5988 720 svchost.exe 0xbe077cac7340 9 - 0 False 2025-09-10 06:58:11.000000 UTC N/A Disabled
6592 720 svchost.exe 0xbe0781848080 2 - 1 False 2025-09-10 06:58:11.000000 UTC N/A Disabled
6668 720 svchost.exe 0xbe077cc15280 3 - 0 False 2025-09-10 06:58:11.000000 UTC N/A Disabled
772 720 SgrmBroker.exe 0xbe07817a7080 7 - 0 False 2025-09-10 06:58:11.000000 UTC N/A Disabled
700 720 svchost.exe 0xbe07815e2080 7 - 0 False 2025-09-10 06:58:12.000000 UTC N/A Disabled
1636 720 svchost.exe 0xbe078180d080 4 - 0 False 2025-09-10 06:58:12.000000 UTC N/A Disabled
3436 720 svchost.exe 0xbe0781829080 8 - 0 False 2025-09-10 06:58:12.000000 UTC N/A Disabled
8184 720 svchost.exe 0xbe0780f7e340 0 - 0 False 2025-09-10 07:03:10.000000 UTC 2025-09-10 07:03:16.000000 UTC Disabled
5136 720 svchost.exe 0xbe078183c080 9 - 0 False 2025-09-10 07:09:02.000000 UTC N/A Disabled
4536 872 dllhost.exe 0xbe07814ca080 5 - 1 False 2025-09-10 07:09:18.000000 UTC N/A Disabled
7876 720 svchost.exe 0xbe0780fb7080 3 - 0 False 2025-09-10 07:09:26.000000 UTC N/A Disabled
6956 872 ShellExperienc 0xbe078178b080 13 - 1 False 2025-09-10 07:09:32.000000 UTC N/A Disabled
3348 872 RuntimeBroker. 0xbe07818c4080 4 - 1 False 2025-09-10 07:09:32.000000 UTC N/A Disabled
5408 720 svchost.exe 0xbe078132b300 4 - 0 False 2025-09-10 07:09:42.000000 UTC N/A Disabled
604 720 svchost.exe 0xbe07815d7300 3 - 0 False 2025-09-10 07:09:42.000000 UTC N/A Disabled
3372 720 svchost.exe 0xbe07818e6080 2 - 0 False 2025-09-10 07:11:13.000000 UTC N/A Disabled
7608 720 svchost.exe 0xbe0780451300 2 - 0 False 2025-09-10 07:25:58.000000 UTC N/A Disabled
2384 688 LogonUI.exe 0xbe0781792080 0 - 1 False 2025-09-10 07:52:10.000000 UTC 2025-09-10 08:00:31.000000 UTC Disabled
2072 872 SystemSettings 0xbe077ceaf080 18 - 1 False 2025-09-10 08:35:35.000000 UTC N/A Disabled
4480 872 UserOOBEBroker 0xbe0780832080 1 - 1 False 2025-09-10 08:35:36.000000 UTC N/A Disabled
912 720 svchost.exe 0xbe077ce83080 1 - 0 False 2025-09-10 08:49:37.000000 UTC N/A Disabled
3968 688 LogonUI.exe 0xbe078119d080 0 - 1 False 2025-09-10 09:44:23.000000 UTC 2025-09-10 10:23:51.000000 UTC Disabled
9104 720 svchost.exe 0xbe07831b6340 3 - 0 False 2025-09-10 10:23:47.000000 UTC N/A Disabled
1656 720 svchost.exe 0xbe078182f300 4 - 0 False 2025-09-10 10:34:00.000000 UTC N/A Disabled
2120 720 svchost.exe 0xbe0781df5300 5 - 0 False 2025-09-10 10:34:00.000000 UTC N/A Disabled
4904 720 svchost.exe 0xbe0783365080 5 - 0 False 2025-09-10 10:34:01.000000 UTC N/A Disabled
6188 720 svchost.exe 0xbe07845e70c0 3 - 0 False 2025-09-10 10:38:44.000000 UTC N/A Disabled
3300 2104 msedge.exe 0xbe0783252080 48 - 1 False 2025-09-10 10:48:19.000000 UTC N/A Disabled
4420 3300 msedge.exe 0xbe078334f080 7 - 1 False 2025-09-10 10:48:19.000000 UTC N/A Disabled
4532 3300 msedge.exe 0xbe0783325080 17 - 1 False 2025-09-10 10:48:19.000000 UTC N/A Disabled
7968 3300 msedge.exe 0xbe0781911080 17 - 1 False 2025-09-10 10:48:19.000000 UTC N/A Disabled
2300 3300 msedge.exe 0xbe078334a080 9 - 1 False 2025-09-10 10:48:19.000000 UTC N/A Disabled
4836 4428 CSG2025_Forens 0xbe078190a080 4 - 1 False 2025-09-10 10:48:46.000000 UTC N/A Disabled
5968 4836 conhost.exe 0xbe07833b5340 3 - 1 False 2025-09-10 10:48:46.000000 UTC N/A Disabled
7384 4428 CSG2025_Forens 0xbe07846ef080 4 - 1 False 2025-09-10 10:48:54.000000 UTC N/A Disabled
7392 7384 conhost.exe 0xbe0781269300 3 - 1 False 2025-09-10 10:48:54.000000 UTC N/A Disabled
4528 4428 CSG2025_Forens 0xbe078298b340 4 - 1 False 2025-09-10 10:48:58.000000 UTC N/A Disabled
1980 4528 conhost.exe 0xbe0783fa4300 3 - 1 False 2025-09-10 10:48:58.000000 UTC N/A Disabled
5424 4428 CSG2025_Forens 0xbe077cc87080 4 - 1 False 2025-09-10 10:49:03.000000 UTC N/A Disabled
4156 5424 conhost.exe 0xbe0781874300 3 - 1 False 2025-09-10 10:49:03.000000 UTC N/A Disabled
3004 4428 CSG2025_Forens 0xbe0783fb4300 4 - 1 False 2025-09-10 10:49:07.000000 UTC N/A Disabled
8140 3004 conhost.exe 0xbe0783393300 3 - 1 False 2025-09-10 10:49:07.000000 UTC N/A Disabled
3872 4428 CSG2025_Forens 0xbe07817e40c0 4 - 1 False 2025-09-10 10:49:10.000000 UTC N/A Disabled
3288 3872 conhost.exe 0xbe0782eed080 3 - 1 False 2025-09-10 10:49:10.000000 UTC N/A Disabled
7596 4428 CSG2025_Forens 0xbe0782fe1080 4 - 1 False 2025-09-10 10:49:15.000000 UTC N/A Disabled
3940 7596 conhost.exe 0xbe0782fcc080 3 - 1 False 2025-09-10 10:49:15.000000 UTC N/A Disabled
3212 4428 CSG2025_Forens 0xbe07831cb080 4 - 1 False 2025-09-10 10:49:19.000000 UTC N/A Disabled
6112 3212 conhost.exe 0xbe0780c80080 3 - 1 False 2025-09-10 10:49:19.000000 UTC N/A Disabled
6276 720 svchost.exe 0xbe078185c080 14 - 0 False 2025-09-10 10:49:19.000000 UTC N/A Disabled
472 4428 CSG2025_Forens 0xbe07831dc080 4 - 1 False 2025-09-10 10:49:27.000000 UTC N/A Disabled
7960 472 conhost.exe 0xbe0782a1c080 3 - 1 False 2025-09-10 10:49:27.000000 UTC N/A Disabled
128 4428 CSG2025_Forens 0xbe0782ee7080 4 - 1 False 2025-09-10 10:49:31.000000 UTC N/A Disabled
5880 128 conhost.exe 0xbe0782e96080 10 - 1 False 2025-09-10 10:49:31.000000 UTC N/A Disabled
7460 4428 notepad.exe 0xbe07814dc080 2 - 1 False 2025-09-10 10:49:57.000000 UTC N/A Disabled
8796 3456 SearchFilterHo 0xbe0780336080 4 - 0 False 2025-09-10 10:53:48.000000 UTC N/A Disabled
3804 3456 SearchProtocol 0xbe078130e080 6 - 1 False 2025-09-10 10:55:40.000000 UTC N/A Disabled
7272 872 smartscreen.ex 0xbe07811a2080 14 - 1 False 2025-09-10 10:55:54.000000 UTC N/A Disabled
8328 1468 audiodg.exe 0xbe077cdad080 5 - 0 False 2025-09-10 10:55:54.000000 UTC N/A Disabled
1224 4428 FTK Imager.exe 0xbe0782ee8080 23 - 1 False 2025-09-10 10:55:56.000000 UTC N/A Disabled
You can see a bunch of `CSG_2025 Forens processes. Now I moved on to inspecting cmdline:
vol -f ./memdump.mem windows.cmdline
PID Process Args
...
4836 CSG2025_Forens "C:\Users\tsshimizu\Desktop\Tor Browser\0010\CSG2025_Forensic_Challenge.exe"
5968 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
7384 CSG2025_Forens "C:\Users\tsshimizu\Desktop\Tor Browser\0009\CSG2025_Forensic_Challenge.exe"
7392 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
4528 CSG2025_Forens "C:\Users\tsshimizu\Desktop\Tor Browser\0008\CSG2025_Forensic_Challenge.exe"
1980 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
5424 CSG2025_Forens "C:\Users\tsshimizu\Desktop\Tor Browser\0007\CSG2025_Forensic_Challenge.exe"
4156 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
3004 CSG2025_Forens "C:\Users\tsshimizu\Desktop\Tor Browser\0006\CSG2025_Forensic_Challenge.exe"
8140 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
3872 CSG2025_Forens "C:\Users\tsshimizu\Desktop\Tor Browser\0005\CSG2025_Forensic_Challenge.exe"
3288 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
7596 CSG2025_Forens "C:\Users\tsshimizu\Desktop\Tor Browser\0004\CSG2025_Forensic_Challenge.exe"
3940 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
3212 CSG2025_Forens "C:\Users\tsshimizu\Desktop\Tor Browser\0003\CSG2025_Forensic_Challenge.exe"
6112 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
6276 svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
472 CSG2025_Forens "C:\Users\tsshimizu\Desktop\Tor Browser\0002\CSG2025_Forensic_Challenge.exe"
7960 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
128 CSG2025_Forens "C:\Users\tsshimizu\Desktop\Tor Browser\0001\CSG2025_Forensic_Challenge.exe"
5880 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
7460 notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\tsshimizu\Desktop\FLAG.txt
8796 SearchFilterHo "C:\Windows\system32\SearchFilterHost.exe" 0 828 832 840 8192 836 812
3804 SearchProtocol "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1666401375-4036008941-1272421846-100118_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1666401375-4036008941-1272421846-100118 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
7272 smartscreen.ex C:\Windows\System32\smartscreen.exe -Embedding
8328 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x170
1224 FTK Imager.exe "C:\Program Files\AccessData\FTK Imager\FTK Imager.exe"Most importantly, observe how notepad.exe is editing C:\Users\tsshimizu\Desktop\FLAG.txt.
I dumped the process memory using the command (using vol3):
ol -f "./memdump.mem" windows.memmap --pid 4836 --dumpThen I checked it for the keyword 'FLAG':
elijah@soyabean:/mnt/c/Users/chiae/Downloads/cyberseagames/sierra_leone_simple_forens/memdump/procdump$ strings -el ./pid.7460.dmp 2>/dev/null \
| grep -iEo 'CTF\{[^}]{1,300}\}|FLAG\{[^}]{1,300}\}' \
| head -n 1
FLAG{The Flag can be found in a file created at 2025-09-10 08:18:20.0630481}Now we need to use the $MFT file given to find the file created at that exact timing. You can use Eric Zimmerman's MFTECmd for this.
Furthermore, on Windows you won't be able to see the $MFT file on both powershell and file explorer. The workaround for me was to go to WSL, then copy and paste the MFT file. It would then be visible to Windows.
To generate a csv view from the MFT:
MFTECmd.exe -f .\MFT_COPY --csv .\outWhen we do a search for "08:18:20" within the CSV, we notice these few rows:
EntryNumber,SequenceNumber,InUse,ParentEntryNumber,ParentSequenceNumber,ParentPath,FileName,Extension,FileSize,ReferenceCount,ReparseTarget,IsDirectory,HasAds,IsAds,SI<FN,uSecZeros,Copied,SiFlags,NameType,Created0x10,Created0x30,LastModified0x10,LastModified0x30,LastRecordChange0x10,LastRecordChange0x30,LastAccess0x10,LastAccess0x30,UpdateSequenceNumber,LogfileSequenceNumber,SecurityId,ObjectIdFileDroid,LoggedUtilStream,ZoneIdContents,SourceFile
252216,2,True,56521,24,.\Users\tsshimizu\Desktop\Tor Browser,0010,,0,1,,True,False,False,False,False,False,None,DosWindows,2025-09-10 08:18:19.6352314,,2025-09-10 08:18:20.1410103,,2025-09-10 08:18:26.6369490,2025-09-10 08:18:20.1570144,2025-09-10 08:32:59.7346532,2025-09-10 08:18:20.1410103,1929787232,8207896053,1611,3816694c-8e13-11f0-ba8c-000c29d19702,,,.\MFT_COPY
252217,2,True,252216,2,.\Users\tsshimizu\Desktop\Tor Browser\0010,CSG2025_Forensic_Challenge.deps.json,.json,470,1,,False,False,False,False,False,True,Archive,Windows,2025-09-10 08:18:19.6352314,,2025-09-10 08:18:09.0173971,2025-09-10 08:18:19.6352314,2025-09-10 08:18:09.0173971,2025-09-10 08:18:19.6352314,2025-09-10 08:28:34.4952115,2025-09-10 08:18:19.6352314,1929783728,8207491011,1019,,,,.\MFT_COPY
252218,2,True,252216,2,.\Users\tsshimizu\Desktop\Tor Browser\0010,CSG2025_Forensic_Challenge.dll,.dll,9728,1,,False,False,False,False,False,True,Archive,Windows,2025-09-10 08:18:19.6502523,,2025-09-10 08:18:09.0083981,2025-09-10 08:18:19.6502523,2025-09-10 08:18:09.0083981,2025-09-10 08:18:19.6502523,2025-09-10 08:28:34.5108256,2025-09-10 08:18:19.6502523,1929784856,8207896095,1019,,,,.\MFT_COPY
252219,2,True,252216,2,.\Users\tsshimizu\Desktop\Tor Browser\0010,CSG2025_Forensic_Challenge.exe,.exe,138752,1,,False,False,False,False,False,True,Archive,Windows,2025-09-10 08:18:20.0630481,,2025-09-10 08:18:09.0113978,2025-09-10 08:18:20.0630481,2025-09-10 08:18:09.0113978,2025-09-10 08:18:20.0630481,2025-09-10 08:28:36.5795169,2025-09-10 08:18:20.0630481,1929785464,8207896129,1019,,,,.\MFT_COPY
252220,2,True,252216,2,.\Users\tsshimizu\Desktop\Tor Browser\0010,CSG2025_Forensic_Challenge.pdb,.pdb,12628,1,,False,False,False,False,False,True,Archive,Windows,2025-09-10 08:18:20.1259960,,2025-09-10 08:18:09.0083981,2025-09-10 08:18:20.1259960,2025-09-10 08:18:09.0083981,2025-09-10 08:18:20.1259960,2025-09-10 08:18:20.1259960,,1929786064,8206831439,1019,,,,.\MFT_COPY
252221,2,True,252216,2,.\Users\tsshimizu\Desktop\Tor Browser\0010,CSG2025_Forensic_Challenge.runtimeconfig.json,.json,340,1,,False,False,False,False,False,True,Archive,Windows,2025-09-10 08:18:20.1410103,,2025-09-10 08:18:09.0214001,2025-09-10 08:18:20.1410103,2025-09-10 08:18:09.0214001,2025-09-10 08:18:20.1410103,2025-09-10 08:28:34.4952115,2025-09-10 08:18:20.1410103,1929786792,8207490977,1019,,,,.\MFT_COPYSo we are likely being pointed to the CSG2025_Forensic_Challenge.exe created by C:\Users\tsshimizu\Desktop\Tor Browser\0010\CSG2025_Forensic_Challenge.exe which has PID 4836. We can dump it from the memory dump as follows:
vol -f "./memdump.mem" windows.memmap --pid 4836 --dumpNow if we do strings on the binary we would see many references to .NET, which prompts us to use dnspy to analyse the binary.
Now if we inspect the dumped .exe and .dll, there doesn't seem to be much in the exe. However, the dll seems to have several references to .NET, so we can try using dnspy to decompile it.
However, the DLL seemed to be corrupted, and dnspy refused to analyse it:
Now we try the volatility windows.dlllist plugin, which should show us all the exes and dlls.
elijah@soyabean:/mnt/c/Users/chiae/Downloads/cyberseagames/sierra_leone_simple_forens/memdump$ vol -f ./memdump.mem windows.dlllist | grep CSG
4836ressCSG2025_Forens 0x7ff7eb0b0000 0x27000 CSG2025_Forensic_Challenge.exe C:\Users\tsshimizu\Desktop\Tor Browser\0010\CSG2025_Forensic_Challenge.exe 2025-09-10 10:48:46.000000 UTC Disabled
4836 CSG2025_Forens 0x10f85c10000 0x8000 CSG2025_Forensic_Challenge.dll C:\Users\tsshimizu\Desktop\Tor Browser\0010\CSG2025_Forensic_Challenge.dll 2025-09-10 10:48:46.000000 UTC DisabledThis shows us that the offset of CSG2025_Forensic_Challenge.dll is 0x10f85c10000. We can dump it using the command
vol -f ./memdump.mem windows.dlllist --pid 4836 --base 0x10f85c10000 --dumpNow we've successfully obtained the uncorrupted dll, and can use dnspy to analyse it.
We see the following functions:
private static void <Main>$(string[] args)
{
CSG2025_FC_Crypto csg2025_FC_Crypto = new CSG2025_FC_Crypto("12021e082708132b341a01182416341b063f365b21282631242340433f39311e", "2a3c240a25323923372027002216010e043c185c08175158");
new CSG2025_FC_Srv().RemoteShell(54321, csg2025_FC_Crypto);
}using System;
using System.IO;
using System.Runtime.CompilerServices;
using System.Security.Cryptography;
using System.Text;
namespace CSG2025_Forensic_Challenge
{
// Token: 0x02000003 RID: 3
[NullableContext(1)]
[Nullable(0)]
public class CSG2025_FC_Crypto
{
// Token: 0x06000003 RID: 3 RVA: 0x00002088 File Offset: 0x00002088
public CSG2025_FC_Crypto()
{
string text = "1002284436093a572e2b19343d0227392b3e25272228363d26320d3e33283916";
string text2 = "173c02430e092a121c3520172939025a3c1210100e215158";
this.key = Encoding.UTF8.GetBytes(this.AdvancedDecode(text));
this.iv = Encoding.UTF8.GetBytes(this.AdvancedDecode(text2));
}
// Token: 0x06000004 RID: 4 RVA: 0x000020D5 File Offset: 0x000020D5
public CSG2025_FC_Crypto(string encoded_key, string encoded_iv)
{
this.key = Encoding.UTF8.GetBytes(this.AdvancedDecode(encoded_key));
this.iv = Encoding.UTF8.GetBytes(this.AdvancedDecode(encoded_iv));
}
// Token: 0x06000005 RID: 5 RVA: 0x0000210C File Offset: 0x0000210C
public string obfuscate(string plainText)
{
string text;
using (Aes aes = Aes.Create())
{
aes.Key = this.key;
aes.IV = this.iv;
ICryptoTransform cryptoTransform = aes.CreateEncryptor(aes.Key, aes.IV);
using (MemoryStream memoryStream = new MemoryStream())
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, CryptoStreamMode.Write))
{
using (StreamWriter streamWriter = new StreamWriter(cryptoStream))
{
streamWriter.Write(plainText);
}
text = Convert.ToBase64String(memoryStream.ToArray());
}
}
}
return text;
}
// Token: 0x06000006 RID: 6 RVA: 0x000021DC File Offset: 0x000021DC
public string Deobfuscate(string encryptedText)
{
string text;
using (Aes aes = Aes.Create())
{
aes.Key = this.key;
aes.IV = this.iv;
ICryptoTransform cryptoTransform = aes.CreateDecryptor(aes.Key, aes.IV);
using (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(encryptedText)))
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, CryptoStreamMode.Read))
{
using (StreamReader streamReader = new StreamReader(cryptoStream))
{
text = streamReader.ReadToEnd();
}
}
}
}
return text;
}
// Token: 0x06000007 RID: 7 RVA: 0x000022A4 File Offset: 0x000022A4
public string AdvancedEncode(string input)
{
string text = Convert.ToBase64String(Encoding.UTF8.GetBytes(input));
StringBuilder stringBuilder = new StringBuilder();
for (int i = 0; i < text.Length; i++)
{
stringBuilder.Append(text[i] ^ CSG2025_FC_Crypto.xorKey[i % CSG2025_FC_Crypto.xorKey.Length]);
}
string text2 = stringBuilder.ToString();
StringBuilder stringBuilder2 = new StringBuilder();
foreach (char c in text2)
{
StringBuilder stringBuilder3 = stringBuilder2;
int num = (int)c;
stringBuilder3.Append(num.ToString("x2"));
}
return stringBuilder2.ToString();
}
// Token: 0x06000008 RID: 8 RVA: 0x0000234C File Offset: 0x0000234C
public string AdvancedDecode(string input)
{
StringBuilder stringBuilder = new StringBuilder();
for (int i = 0; i < input.Length; i += 2)
{
stringBuilder.Append((char)Convert.ToInt32(input.Substring(i, 2), 16));
}
string text = stringBuilder.ToString();
StringBuilder stringBuilder2 = new StringBuilder();
for (int j = 0; j < text.Length; j++)
{
stringBuilder2.Append(text[j] ^ CSG2025_FC_Crypto.xorKey[j % CSG2025_FC_Crypto.xorKey.Length]);
}
string text2 = stringBuilder2.ToString();
string text3;
try
{
byte[] array = Convert.FromBase64String(text2);
text3 = Encoding.UTF8.GetString(array);
}
catch (Exception)
{
text3 = null;
}
return text3;
}
// Token: 0x04000001 RID: 1
private readonly byte[] key;
// Token: 0x04000002 RID: 2
private readonly byte[] iv;
// Token: 0x04000003 RID: 3
private static readonly string xorKey = "simplekey";
}
}
public void RemoteShell(int port, CSG2025_FC_Crypto crypto)
{
TcpListener tcpListener = new TcpListener(IPAddress.Any, port);
tcpListener.Start();
bool flag = true;
CSG2025_FC_Crypto csg2025_FC_Crypto = ((crypto == null) ? new CSG2025_FC_Crypto() : crypto);
while (flag)
{
using (TcpClient tcpClient = tcpListener.AcceptTcpClient())
{
using (NetworkStream stream = tcpClient.GetStream())
{
using (StreamReader streamReader = new StreamReader(stream))
{
using (StreamWriter streamWriter = new StreamWriter(stream)
{
AutoFlush = true
})
{
string text;
while ((text = streamReader.ReadLine()) != null)
{
string text2 = text.ToLower().Trim();
if (!(text2 == "quit") && !(text2 == "q") && (text2 == null || text2.Length != 0))
{
if (!(text2 == "flag"))
{
string text3 = this.ExecuteCommand(text);
streamWriter.WriteLine(csg2025_FC_Crypto.obfuscate(text3));
}
else
{
streamWriter.WriteLine(csg2025_FC_Crypto.Deobfuscate("8I8UA7wRkZlDgKEN0EAtic6wcVhGpuW7avv3xEemfliBAYXtpgJhNukG9tm7wRod"));
}
}
else
{
flag = false;
}
}
}
}
}
}
}
}Here are the important values:
ciphertext: 8I8UA7wRkZlDgKEN0EAtic6wcVhGpuW7avv3xEemfliBAYXtpgJhNukG9tm7wRod
key: AdvancedDecode("12021e082708132b341a01182416341b063f365b21282631242340433f39311e")
iv: AdvancedDecode("2a3c240a25323923372027002216010e043c185c08175158")
xokey: simplekey
All AdvancedDecode does is convert the key or iv string from hex to bytes, then xors it with the xorkey and converts it from base64.
public string AdvancedDecode(string input)
{
StringBuilder stringBuilder = new StringBuilder();
for (int i = 0; i < input.Length; i += 2)
{
stringBuilder.Append((char)Convert.ToInt32(input.Substring(i, 2), 16));
}
string text = stringBuilder.ToString();
StringBuilder stringBuilder2 = new StringBuilder();
for (int j = 0; j < text.Length; j++)
{
stringBuilder2.Append(text[j] ^ CSG2025_FC_Crypto.xorKey[j % CSG2025_FC_Crypto.xorKey.Length]);
}
string text2 = stringBuilder2.ToString();
string text3;
try
{
byte[] array = Convert.FromBase64String(text2);
text3 = Encoding.UTF8.GetString(array);
}
catch (Exception)
{
text3 = null;
}
return text3;
}Now we need to find out how to perform the AES decryption. According to https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesmanaged.mode?view=net-9.0, the default AES mode is CBC.
public string Deobfuscate(string encryptedText)
{
string text;
using (Aes aes = Aes.Create())
{
aes.Key = this.key;
aes.IV = this.iv;
ICryptoTransform cryptoTransform = aes.CreateDecryptor(aes.Key, aes.IV);
using (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(encryptedText)))
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, CryptoStreamMode.Read))
{
using (StreamReader streamReader = new StreamReader(cryptoStream))
{
text = streamReader.ReadToEnd();
}
}
}
}
return text;
}We can see that the ct is converted from base64, then aes decryption is performed using CBC mode.
Now, we have all the pieces needed to decrypt the flag:
from pwn import *
from base64 import b64decode
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
ct = "8I8UA7wRkZlDgKEN0EAtic6wcVhGpuW7avv3xEemfliBAYXtpgJhNukG9tm7wRod"
key = "12021e082708132b341a01182416341b063f365b21282631242340433f39311e"
iv = "2a3c240a25323923372027002216010e043c185c08175158"
xorkey = b'simplekey'
key_bytes = bytes.fromhex(key)
key_bytes = xor(key_bytes, xorkey)
real_key = b64decode(key_bytes.decode())
print(f"real key: {real_key}")
iv_bytes = bytes.fromhex(iv)
iv_bytes = xor(iv_bytes, xorkey)
real_iv = b64decode(iv_bytes.decode())
print(f"real iv: {real_iv}")
cipher = AES.new(real_key, AES.MODE_CBC, iv=real_iv)
ct = b64decode(ct)
pt = cipher.decrypt(ct)
pt = unpad(pt, AES.block_size).decode()
print(f"plaintext: {pt}")The plaintext is b'aB!3dE#5fG@7hI^9jK&1lM*2nO(4pQ)6rS-8tU_0vW+z' which is the flag!
Last updated