Sierra Leone - Simple Forensic (forens)

I'm unable to provide the files as they are too big. However, you may be able to download them from the organiser's google drive links here and here.

I started out by using volatility to inspect the processes running within the memory dump:

vol -f ./memdump.mem windows.pslist
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime       File output

4       0       System  0xbe077a092040  148     -       N/A     False   2025-09-10 06:56:09.000000 UTC  N/A     Disabled
108     4       Registry        0xbe077a099080  4       -       N/A     False   2025-09-10 06:56:04.000000 UTC  N/A    Disabled
388     4       smss.exe        0xbe077ae4d040  2       -       N/A     False   2025-09-10 06:56:09.000000 UTC  N/A    Disabled
504     480     csrss.exe       0xbe077b007080  12      -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
580     480     wininit.exe     0xbe077bc6f080  1       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
588     572     csrss.exe       0xbe077bc74140  15      -       1       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
688     572     winlogon.exe    0xbe077bce4080  5       -       1       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
720     580     services.exe    0xbe077bd190c0  7       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
740     580     lsass.exe       0xbe077bd2c080  10      -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
872     720     svchost.exe     0xbe077bd8d280  11      -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
892     580     fontdrvhost.ex  0xbe077bddb180  5       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
900     688     fontdrvhost.ex  0xbe077bdd9180  5       -       1       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1004    720     svchost.exe     0xbe077ca11300  11      -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
440     720     svchost.exe     0xbe077ca84280  5       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1036    720     svchost.exe     0xbe077cb0d340  7       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1084    720     svchost.exe     0xbe077cb0f2c0  1       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1092    720     svchost.exe     0xbe077cb63340  3       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1164    688     dwm.exe 0xbe077cb41080  14      -       1       False   2025-09-10 06:56:10.000000 UTC  N/A     Disabled
1180    688     LogonUI.exe     0xbe077cb430c0  0       -       1       False   2025-09-10 06:56:10.000000 UTC  2025-09-10 06:56:36.000000 UTC  Disabled
1196    720     svchost.exe     0xbe077cb45300  4       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1256    720     svchost.exe     0xbe077cbae340  5       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1388    720     svchost.exe     0xbe077cc130c0  7       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1456    720     svchost.exe     0xbe077cc88300  6       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1476    720     svchost.exe     0xbe077ccab300  2       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1500    720     svchost.exe     0xbe077cc35080  4       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1552    720     svchost.exe     0xbe077ccea300  3       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1568    720     svchost.exe     0xbe077ccc92c0  3       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1576    720     svchost.exe     0xbe077ccca080  3       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1696    720     svchost.exe     0xbe077cd43280  7       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1716    4       MemCompression  0xbe077cd42040  22      -       N/A     False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1756    720     svchost.exe     0xbe077cd65300  6       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1768    720     svchost.exe     0xbe077cd85080  2       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1868    720     svchost.exe     0xbe077ce3b340  1       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1880    720     svchost.exe     0xbe077ce3c080  2       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1892    720     svchost.exe     0xbe077ce3d080  6       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
1468    720     svchost.exe     0xbe077cf26300  12      -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
2172    720     svchost.exe     0xbe077a08e300  7       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
2180    720     svchost.exe     0xbe077cfc8300  9       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
2188    720     svchost.exe     0xbe077a0a20c0  3       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
2216    720     svchost.exe     0xbe077a12b080  4       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
2288    720     svchost.exe     0xbe077a0e7080  2       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
2412    720     spoolsv.exe     0xbe07800c80c0  7       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
2424    720     svchost.exe     0xbe07800c1340  5       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
2476    720     svchost.exe     0xbe077a17c080  12      -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
2512    720     svchost.exe     0xbe077a16f080  5       -       0       False   2025-09-10 06:56:10.000000 UTC  N/A    Disabled
2720    720     svchost.exe     0xbe077a164080  22      -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2728    720     svchost.exe     0xbe077a162080  9       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2736    720     svchost.exe     0xbe077a084080  10      -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2744    720     svchost.exe     0xbe077bcda300  1       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2760    720     MpDefenderCore  0xbe07801a9080  10      -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2768    720     svchost.exe     0xbe07801a6300  16      -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2780    720     VGAuthService.  0xbe07801a8340  2       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2788    720     svchost.exe     0xbe07801a7080  3       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2812    720     vmtoolsd.exe    0xbe07801ad2c0  11      -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2820    720     vm3dservice.ex  0xbe07801ab280  2       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2860    720     MsMpEng.exe     0xbe0780194080  27      -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2868    720     svchost.exe     0xbe0780193280  4       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
2904    720     svchost.exe     0xbe078022f280  6       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3040    2820    vm3dservice.ex  0xbe07802d4080  2       -       1       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3056    720     svchost.exe     0xbe07802d7300  5       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3236    720     svchost.exe     0xbe07803a1300  2       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3364    720     svchost.exe     0xbe07803d2080  11      -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3384    1696    sihost.exe      0xbe078039f300  8       -       1       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3456    720     SearchIndexer.  0xbe07804b0280  16      -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3544    720     svchost.exe     0xbe0780506080  10      -       1       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3788    720     svchost.exe     0xbe0780564300  4       -       1       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3828    720     dllhost.exe     0xbe078058c2c0  10      -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3928    1388    taskhostw.exe   0xbe078062a080  9       -       1       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3944    1388    MicrosoftEdgeU  0xbe078061f080  4       -       0       True    2025-09-10 06:56:11.000000 UTC  N/A    Disabled
4028    720     svchost.exe     0xbe0780623300  2       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3808    872     WmiPrvSE.exe    0xbe07805e62c0  12      -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3724    872     dllhost.exe     0xbe07805d62c0  5       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
3876    720     svchost.exe     0xbe078084b2c0  3       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
4244    3876    ctfmon.exe      0xbe078089d0c0  16      -       1       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
4324    720     svchost.exe     0xbe0780925300  8       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
4364    688     userinit.exe    0xbe078093c080  0       -       1       False   2025-09-10 06:56:11.000000 UTC  2025-09-10 06:56:32.000000 UTC  Disabled
4428    4364    explorer.exe    0xbe078093a080  88      -       1       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
4592    720     svchost.exe     0xbe0780a3b300  5       -       0       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
4824    720     svchost.exe     0xbe07805df300  7       -       1       False   2025-09-10 06:56:11.000000 UTC  N/A    Disabled
4980    720     msdtc.exe       0xbe0780c082c0  9       -       0       False   2025-09-10 06:56:12.000000 UTC  N/A    Disabled
5208    2736    AggregatorHost  0xbe07803d0080  2       -       0       False   2025-09-10 06:56:12.000000 UTC  N/A    Disabled
5284    872     StartMenuExper  0xbe0780c7e080  8       -       1       False   2025-09-10 06:56:12.000000 UTC  N/A    Disabled
5352    872     RuntimeBroker.  0xbe0780d96340  1       -       1       False   2025-09-10 06:56:12.000000 UTC  N/A    Disabled
5480    872     SearchApp.exe   0xbe077a0eb080  71      -       1       False   2025-09-10 06:56:12.000000 UTC  N/A    Disabled
5676    872     RuntimeBroker.  0xbe0780fa8340  12      -       1       False   2025-09-10 06:56:12.000000 UTC  N/A    Disabled
6020    872     LockApp.exe     0xbe0781289080  11      -       1       False   2025-09-10 06:56:13.000000 UTC  N/A    Disabled
6100    872     RuntimeBroker.  0xbe07812de340  3       -       1       False   2025-09-10 06:56:13.000000 UTC  N/A    Disabled
5768    720     svchost.exe     0xbe078114e300  2       -       0       False   2025-09-10 06:56:13.000000 UTC  N/A    Disabled
6844    720     svchost.exe     0xbe078082a080  1       -       0       False   2025-09-10 06:56:14.000000 UTC  N/A    Disabled
6948    720     svchost.exe     0xbe0781457340  4       -       0       False   2025-09-10 06:56:14.000000 UTC  N/A    Disabled
6396    720     NisSrv.exe      0xbe0781463080  7       -       0       False   2025-09-10 06:56:16.000000 UTC  N/A    Disabled
6596    872     RuntimeBroker.  0xbe07816230c0  2       -       1       False   2025-09-10 06:56:22.000000 UTC  N/A    Disabled
6688    4428    SecurityHealth  0xbe0780d7d0c0  1       -       1       False   2025-09-10 06:56:23.000000 UTC  N/A    Disabled
6704    720     SecurityHealth  0xbe0780d8a2c0  6       -       0       False   2025-09-10 06:56:23.000000 UTC  N/A    Disabled
6828    4428    vmtoolsd.exe    0xbe0780fe8080  8       -       1       False   2025-09-10 06:56:23.000000 UTC  N/A    Disabled
2104    4428    msedge.exe      0xbe0781541300  0       -       1       False   2025-09-10 06:56:24.000000 UTC  2025-09-10 10:48:19.000000 UTC  Disabled
7724    720     svchost.exe     0xbe078192e080  3       -       0       False   2025-09-10 06:56:25.000000 UTC  N/A    Disabled
7952    720     svchost.exe     0xbe0780a7e340  7       -       0       False   2025-09-10 06:56:31.000000 UTC  N/A    Disabled
8080    872     TextInputHost.  0xbe078181e080  17      -       1       False   2025-09-10 06:56:36.000000 UTC  N/A    Disabled
1296    872     ApplicationFra  0xbe0781909080  5       -       1       False   2025-09-10 06:57:01.000000 UTC  N/A    Disabled
5988    720     svchost.exe     0xbe077cac7340  9       -       0       False   2025-09-10 06:58:11.000000 UTC  N/A    Disabled
6592    720     svchost.exe     0xbe0781848080  2       -       1       False   2025-09-10 06:58:11.000000 UTC  N/A    Disabled
6668    720     svchost.exe     0xbe077cc15280  3       -       0       False   2025-09-10 06:58:11.000000 UTC  N/A    Disabled
772     720     SgrmBroker.exe  0xbe07817a7080  7       -       0       False   2025-09-10 06:58:11.000000 UTC  N/A    Disabled
700     720     svchost.exe     0xbe07815e2080  7       -       0       False   2025-09-10 06:58:12.000000 UTC  N/A    Disabled
1636    720     svchost.exe     0xbe078180d080  4       -       0       False   2025-09-10 06:58:12.000000 UTC  N/A    Disabled
3436    720     svchost.exe     0xbe0781829080  8       -       0       False   2025-09-10 06:58:12.000000 UTC  N/A    Disabled
8184    720     svchost.exe     0xbe0780f7e340  0       -       0       False   2025-09-10 07:03:10.000000 UTC  2025-09-10 07:03:16.000000 UTC  Disabled
5136    720     svchost.exe     0xbe078183c080  9       -       0       False   2025-09-10 07:09:02.000000 UTC  N/A    Disabled
4536    872     dllhost.exe     0xbe07814ca080  5       -       1       False   2025-09-10 07:09:18.000000 UTC  N/A    Disabled
7876    720     svchost.exe     0xbe0780fb7080  3       -       0       False   2025-09-10 07:09:26.000000 UTC  N/A    Disabled
6956    872     ShellExperienc  0xbe078178b080  13      -       1       False   2025-09-10 07:09:32.000000 UTC  N/A    Disabled
3348    872     RuntimeBroker.  0xbe07818c4080  4       -       1       False   2025-09-10 07:09:32.000000 UTC  N/A    Disabled
5408    720     svchost.exe     0xbe078132b300  4       -       0       False   2025-09-10 07:09:42.000000 UTC  N/A    Disabled
604     720     svchost.exe     0xbe07815d7300  3       -       0       False   2025-09-10 07:09:42.000000 UTC  N/A    Disabled
3372    720     svchost.exe     0xbe07818e6080  2       -       0       False   2025-09-10 07:11:13.000000 UTC  N/A    Disabled
7608    720     svchost.exe     0xbe0780451300  2       -       0       False   2025-09-10 07:25:58.000000 UTC  N/A    Disabled
2384    688     LogonUI.exe     0xbe0781792080  0       -       1       False   2025-09-10 07:52:10.000000 UTC  2025-09-10 08:00:31.000000 UTC  Disabled
2072    872     SystemSettings  0xbe077ceaf080  18      -       1       False   2025-09-10 08:35:35.000000 UTC  N/A    Disabled
4480    872     UserOOBEBroker  0xbe0780832080  1       -       1       False   2025-09-10 08:35:36.000000 UTC  N/A    Disabled
912     720     svchost.exe     0xbe077ce83080  1       -       0       False   2025-09-10 08:49:37.000000 UTC  N/A    Disabled
3968    688     LogonUI.exe     0xbe078119d080  0       -       1       False   2025-09-10 09:44:23.000000 UTC  2025-09-10 10:23:51.000000 UTC  Disabled
9104    720     svchost.exe     0xbe07831b6340  3       -       0       False   2025-09-10 10:23:47.000000 UTC  N/A    Disabled
1656    720     svchost.exe     0xbe078182f300  4       -       0       False   2025-09-10 10:34:00.000000 UTC  N/A    Disabled
2120    720     svchost.exe     0xbe0781df5300  5       -       0       False   2025-09-10 10:34:00.000000 UTC  N/A    Disabled
4904    720     svchost.exe     0xbe0783365080  5       -       0       False   2025-09-10 10:34:01.000000 UTC  N/A    Disabled
6188    720     svchost.exe     0xbe07845e70c0  3       -       0       False   2025-09-10 10:38:44.000000 UTC  N/A    Disabled
3300    2104    msedge.exe      0xbe0783252080  48      -       1       False   2025-09-10 10:48:19.000000 UTC  N/A    Disabled
4420    3300    msedge.exe      0xbe078334f080  7       -       1       False   2025-09-10 10:48:19.000000 UTC  N/A    Disabled
4532    3300    msedge.exe      0xbe0783325080  17      -       1       False   2025-09-10 10:48:19.000000 UTC  N/A    Disabled
7968    3300    msedge.exe      0xbe0781911080  17      -       1       False   2025-09-10 10:48:19.000000 UTC  N/A    Disabled
2300    3300    msedge.exe      0xbe078334a080  9       -       1       False   2025-09-10 10:48:19.000000 UTC  N/A    Disabled
4836    4428    CSG2025_Forens  0xbe078190a080  4       -       1       False   2025-09-10 10:48:46.000000 UTC  N/A    Disabled
5968    4836    conhost.exe     0xbe07833b5340  3       -       1       False   2025-09-10 10:48:46.000000 UTC  N/A    Disabled
7384    4428    CSG2025_Forens  0xbe07846ef080  4       -       1       False   2025-09-10 10:48:54.000000 UTC  N/A    Disabled
7392    7384    conhost.exe     0xbe0781269300  3       -       1       False   2025-09-10 10:48:54.000000 UTC  N/A    Disabled
4528    4428    CSG2025_Forens  0xbe078298b340  4       -       1       False   2025-09-10 10:48:58.000000 UTC  N/A    Disabled
1980    4528    conhost.exe     0xbe0783fa4300  3       -       1       False   2025-09-10 10:48:58.000000 UTC  N/A    Disabled
5424    4428    CSG2025_Forens  0xbe077cc87080  4       -       1       False   2025-09-10 10:49:03.000000 UTC  N/A    Disabled
4156    5424    conhost.exe     0xbe0781874300  3       -       1       False   2025-09-10 10:49:03.000000 UTC  N/A    Disabled
3004    4428    CSG2025_Forens  0xbe0783fb4300  4       -       1       False   2025-09-10 10:49:07.000000 UTC  N/A    Disabled
8140    3004    conhost.exe     0xbe0783393300  3       -       1       False   2025-09-10 10:49:07.000000 UTC  N/A    Disabled
3872    4428    CSG2025_Forens  0xbe07817e40c0  4       -       1       False   2025-09-10 10:49:10.000000 UTC  N/A    Disabled
3288    3872    conhost.exe     0xbe0782eed080  3       -       1       False   2025-09-10 10:49:10.000000 UTC  N/A    Disabled
7596    4428    CSG2025_Forens  0xbe0782fe1080  4       -       1       False   2025-09-10 10:49:15.000000 UTC  N/A    Disabled
3940    7596    conhost.exe     0xbe0782fcc080  3       -       1       False   2025-09-10 10:49:15.000000 UTC  N/A    Disabled
3212    4428    CSG2025_Forens  0xbe07831cb080  4       -       1       False   2025-09-10 10:49:19.000000 UTC  N/A    Disabled
6112    3212    conhost.exe     0xbe0780c80080  3       -       1       False   2025-09-10 10:49:19.000000 UTC  N/A    Disabled
6276    720     svchost.exe     0xbe078185c080  14      -       0       False   2025-09-10 10:49:19.000000 UTC  N/A    Disabled
472     4428    CSG2025_Forens  0xbe07831dc080  4       -       1       False   2025-09-10 10:49:27.000000 UTC  N/A    Disabled
7960    472     conhost.exe     0xbe0782a1c080  3       -       1       False   2025-09-10 10:49:27.000000 UTC  N/A    Disabled
128     4428    CSG2025_Forens  0xbe0782ee7080  4       -       1       False   2025-09-10 10:49:31.000000 UTC  N/A    Disabled
5880    128     conhost.exe     0xbe0782e96080  10      -       1       False   2025-09-10 10:49:31.000000 UTC  N/A    Disabled
7460    4428    notepad.exe     0xbe07814dc080  2       -       1       False   2025-09-10 10:49:57.000000 UTC  N/A    Disabled
8796    3456    SearchFilterHo  0xbe0780336080  4       -       0       False   2025-09-10 10:53:48.000000 UTC  N/A    Disabled
3804    3456    SearchProtocol  0xbe078130e080  6       -       1       False   2025-09-10 10:55:40.000000 UTC  N/A    Disabled
7272    872     smartscreen.ex  0xbe07811a2080  14      -       1       False   2025-09-10 10:55:54.000000 UTC  N/A    Disabled
8328    1468    audiodg.exe     0xbe077cdad080  5       -       0       False   2025-09-10 10:55:54.000000 UTC  N/A    Disabled
1224    4428    FTK Imager.exe  0xbe0782ee8080  23      -       1       False   2025-09-10 10:55:56.000000 UTC  N/A    Disabled

You can see a bunch of `CSG_2025 Forens processes. Now I moved on to inspecting cmdline:

vol -f ./memdump.mem windows.cmdline 
PID     Process Args
    ...
4836    CSG2025_Forens  "C:\Users\tsshimizu\Desktop\Tor Browser\0010\CSG2025_Forensic_Challenge.exe"
5968    conhost.exe     \??\C:\Windows\system32\conhost.exe 0x4
7384    CSG2025_Forens  "C:\Users\tsshimizu\Desktop\Tor Browser\0009\CSG2025_Forensic_Challenge.exe"
7392    conhost.exe     \??\C:\Windows\system32\conhost.exe 0x4
4528    CSG2025_Forens  "C:\Users\tsshimizu\Desktop\Tor Browser\0008\CSG2025_Forensic_Challenge.exe"
1980    conhost.exe     \??\C:\Windows\system32\conhost.exe 0x4
5424    CSG2025_Forens  "C:\Users\tsshimizu\Desktop\Tor Browser\0007\CSG2025_Forensic_Challenge.exe"
4156    conhost.exe     \??\C:\Windows\system32\conhost.exe 0x4
3004    CSG2025_Forens  "C:\Users\tsshimizu\Desktop\Tor Browser\0006\CSG2025_Forensic_Challenge.exe"
8140    conhost.exe     \??\C:\Windows\system32\conhost.exe 0x4
3872    CSG2025_Forens  "C:\Users\tsshimizu\Desktop\Tor Browser\0005\CSG2025_Forensic_Challenge.exe"
3288    conhost.exe     \??\C:\Windows\system32\conhost.exe 0x4
7596    CSG2025_Forens  "C:\Users\tsshimizu\Desktop\Tor Browser\0004\CSG2025_Forensic_Challenge.exe"
3940    conhost.exe     \??\C:\Windows\system32\conhost.exe 0x4
3212    CSG2025_Forens  "C:\Users\tsshimizu\Desktop\Tor Browser\0003\CSG2025_Forensic_Challenge.exe"
6112    conhost.exe     \??\C:\Windows\system32\conhost.exe 0x4
6276    svchost.exe     C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
472     CSG2025_Forens  "C:\Users\tsshimizu\Desktop\Tor Browser\0002\CSG2025_Forensic_Challenge.exe"
7960    conhost.exe     \??\C:\Windows\system32\conhost.exe 0x4
128     CSG2025_Forens  "C:\Users\tsshimizu\Desktop\Tor Browser\0001\CSG2025_Forensic_Challenge.exe"
5880    conhost.exe     \??\C:\Windows\system32\conhost.exe 0x4
7460    notepad.exe     "C:\Windows\system32\NOTEPAD.EXE" C:\Users\tsshimizu\Desktop\FLAG.txt
8796    SearchFilterHo  "C:\Windows\system32\SearchFilterHost.exe" 0 828 832 840 8192 836 812
3804    SearchProtocol  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1666401375-4036008941-1272421846-100118_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1666401375-4036008941-1272421846-100118 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
7272    smartscreen.ex  C:\Windows\System32\smartscreen.exe -Embedding
8328    audiodg.exe     C:\Windows\system32\AUDIODG.EXE 0x170
1224    FTK Imager.exe  "C:\Program Files\AccessData\FTK Imager\FTK Imager.exe"

Most importantly, observe how notepad.exe is editing C:\Users\tsshimizu\Desktop\FLAG.txt.

I dumped the process memory using the command (using vol3):

ol -f "./memdump.mem" windows.memmap --pid 4836 --dump

Then I checked it for the keyword 'FLAG' (strings -el accounts for UTF-16 encoding):

elijah@soyabean:/mnt/c/Users/chiae/Downloads/cyberseagames/sierra_leone_simple_forens/memdump/procdump$ strings -el ./pid.7460.dmp 2>/dev/null \
  | grep -iEo 'CTF\{[^}]{1,300}\}|FLAG\{[^}]{1,300}\}' \
  | head -n 1
FLAG{The Flag can be found in a file created at 2025-09-10 08:18:20.0630481}

Now we need to use the $MFT file given to find the file created at that exact timing. You can use Eric Zimmerman's MFTECmd for this.

Furthermore, on Windows you won't be able to see the $MFT file on both powershell and file explorer. The workaround for me was to go to WSL, then copy and paste the MFT file. It would then be visible to Windows.

To generate a csv view from the MFT:

MFTECmd.exe -f .\MFT_COPY --csv .\out

When we do a search for "08:18:20" within the CSV, we notice these few rows:

EntryNumber,SequenceNumber,InUse,ParentEntryNumber,ParentSequenceNumber,ParentPath,FileName,Extension,FileSize,ReferenceCount,ReparseTarget,IsDirectory,HasAds,IsAds,SI<FN,uSecZeros,Copied,SiFlags,NameType,Created0x10,Created0x30,LastModified0x10,LastModified0x30,LastRecordChange0x10,LastRecordChange0x30,LastAccess0x10,LastAccess0x30,UpdateSequenceNumber,LogfileSequenceNumber,SecurityId,ObjectIdFileDroid,LoggedUtilStream,ZoneIdContents,SourceFile
252216,2,True,56521,24,.\Users\tsshimizu\Desktop\Tor Browser,0010,,0,1,,True,False,False,False,False,False,None,DosWindows,2025-09-10 08:18:19.6352314,,2025-09-10 08:18:20.1410103,,2025-09-10 08:18:26.6369490,2025-09-10 08:18:20.1570144,2025-09-10 08:32:59.7346532,2025-09-10 08:18:20.1410103,1929787232,8207896053,1611,3816694c-8e13-11f0-ba8c-000c29d19702,,,.\MFT_COPY
252217,2,True,252216,2,.\Users\tsshimizu\Desktop\Tor Browser\0010,CSG2025_Forensic_Challenge.deps.json,.json,470,1,,False,False,False,False,False,True,Archive,Windows,2025-09-10 08:18:19.6352314,,2025-09-10 08:18:09.0173971,2025-09-10 08:18:19.6352314,2025-09-10 08:18:09.0173971,2025-09-10 08:18:19.6352314,2025-09-10 08:28:34.4952115,2025-09-10 08:18:19.6352314,1929783728,8207491011,1019,,,,.\MFT_COPY
252218,2,True,252216,2,.\Users\tsshimizu\Desktop\Tor Browser\0010,CSG2025_Forensic_Challenge.dll,.dll,9728,1,,False,False,False,False,False,True,Archive,Windows,2025-09-10 08:18:19.6502523,,2025-09-10 08:18:09.0083981,2025-09-10 08:18:19.6502523,2025-09-10 08:18:09.0083981,2025-09-10 08:18:19.6502523,2025-09-10 08:28:34.5108256,2025-09-10 08:18:19.6502523,1929784856,8207896095,1019,,,,.\MFT_COPY
252219,2,True,252216,2,.\Users\tsshimizu\Desktop\Tor Browser\0010,CSG2025_Forensic_Challenge.exe,.exe,138752,1,,False,False,False,False,False,True,Archive,Windows,2025-09-10 08:18:20.0630481,,2025-09-10 08:18:09.0113978,2025-09-10 08:18:20.0630481,2025-09-10 08:18:09.0113978,2025-09-10 08:18:20.0630481,2025-09-10 08:28:36.5795169,2025-09-10 08:18:20.0630481,1929785464,8207896129,1019,,,,.\MFT_COPY
252220,2,True,252216,2,.\Users\tsshimizu\Desktop\Tor Browser\0010,CSG2025_Forensic_Challenge.pdb,.pdb,12628,1,,False,False,False,False,False,True,Archive,Windows,2025-09-10 08:18:20.1259960,,2025-09-10 08:18:09.0083981,2025-09-10 08:18:20.1259960,2025-09-10 08:18:09.0083981,2025-09-10 08:18:20.1259960,2025-09-10 08:18:20.1259960,,1929786064,8206831439,1019,,,,.\MFT_COPY
252221,2,True,252216,2,.\Users\tsshimizu\Desktop\Tor Browser\0010,CSG2025_Forensic_Challenge.runtimeconfig.json,.json,340,1,,False,False,False,False,False,True,Archive,Windows,2025-09-10 08:18:20.1410103,,2025-09-10 08:18:09.0214001,2025-09-10 08:18:20.1410103,2025-09-10 08:18:09.0214001,2025-09-10 08:18:20.1410103,2025-09-10 08:28:34.4952115,2025-09-10 08:18:20.1410103,1929786792,8207490977,1019,,,,.\MFT_COPY

So we are likely being pointed to the CSG2025_Forensic_Challenge.exe created by C:\Users\tsshimizu\Desktop\Tor Browser\0010\CSG2025_Forensic_Challenge.exe which has PID 4836. We can dump it from the memory dump as follows:

vol -f "./memdump.mem" windows.memmap --pid 4836 --dump

Now if we do strings on the binary we would see many references to .NET, which prompts us to use dnspy to analyse the binary.

Now if we inspect the dumped .exe and .dll, there doesn't seem to be much in the exe. However, the dll seems to have several references to .NET, so we can try using dnspy to decompile it.

However, the DLL seemed to be corrupted, and dnspy refused to analyse it:

Now we try the volatility windows.dlllist plugin, which should show us all the exes and dlls.

elijah@soyabean:/mnt/c/Users/chiae/Downloads/cyberseagames/sierra_leone_simple_forens/memdump$ vol -f ./memdump.mem windows.dlllist | grep CSG
4836ressCSG2025_Forens  0x7ff7eb0b0000  0x27000 CSG2025_Forensic_Challenge.exe  C:\Users\tsshimizu\Desktop\Tor Browser\0010\CSG2025_Forensic_Challenge.exe      2025-09-10 10:48:46.000000 UTC  Disabled
4836    CSG2025_Forens  0x10f85c10000   0x8000  CSG2025_Forensic_Challenge.dll  C:\Users\tsshimizu\Desktop\Tor Browser\0010\CSG2025_Forensic_Challenge.dll      2025-09-10 10:48:46.000000 UTC  Disabled

This shows us that the offset of CSG2025_Forensic_Challenge.dll is 0x10f85c10000. We can dump it using the command

vol -f ./memdump.mem windows.dlllist --pid 4836 --base 0x10f85c10000 --dump

Now we've successfully obtained the uncorrupted dll, and can use dnspy to analyse it.

We see the following functions:

private static void <Main>$(string[] args)
{
	CSG2025_FC_Crypto csg2025_FC_Crypto = new CSG2025_FC_Crypto("12021e082708132b341a01182416341b063f365b21282631242340433f39311e", "2a3c240a25323923372027002216010e043c185c08175158");
	new CSG2025_FC_Srv().RemoteShell(54321, csg2025_FC_Crypto);
}

using System;
using System.IO;
using System.Runtime.CompilerServices;
using System.Security.Cryptography;
using System.Text;

namespace CSG2025_Forensic_Challenge
{
	// Token: 0x02000003 RID: 3
	[NullableContext(1)]
	[Nullable(0)]
	public class CSG2025_FC_Crypto
	{
		// Token: 0x06000003 RID: 3 RVA: 0x00002088 File Offset: 0x00002088
		public CSG2025_FC_Crypto()
		{
			string text = "1002284436093a572e2b19343d0227392b3e25272228363d26320d3e33283916";
			string text2 = "173c02430e092a121c3520172939025a3c1210100e215158";
			this.key = Encoding.UTF8.GetBytes(this.AdvancedDecode(text));
			this.iv = Encoding.UTF8.GetBytes(this.AdvancedDecode(text2));
		}

		// Token: 0x06000004 RID: 4 RVA: 0x000020D5 File Offset: 0x000020D5
		public CSG2025_FC_Crypto(string encoded_key, string encoded_iv)
		{
			this.key = Encoding.UTF8.GetBytes(this.AdvancedDecode(encoded_key));
			this.iv = Encoding.UTF8.GetBytes(this.AdvancedDecode(encoded_iv));
		}

		// Token: 0x06000005 RID: 5 RVA: 0x0000210C File Offset: 0x0000210C
		public string obfuscate(string plainText)
		{
			string text;
			using (Aes aes = Aes.Create())
			{
				aes.Key = this.key;
				aes.IV = this.iv;
				ICryptoTransform cryptoTransform = aes.CreateEncryptor(aes.Key, aes.IV);
				using (MemoryStream memoryStream = new MemoryStream())
				{
					using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, CryptoStreamMode.Write))
					{
						using (StreamWriter streamWriter = new StreamWriter(cryptoStream))
						{
							streamWriter.Write(plainText);
						}
						text = Convert.ToBase64String(memoryStream.ToArray());
					}
				}
			}
			return text;
		}

		// Token: 0x06000006 RID: 6 RVA: 0x000021DC File Offset: 0x000021DC
		public string Deobfuscate(string encryptedText)
		{
			string text;
			using (Aes aes = Aes.Create())
			{
				aes.Key = this.key;
				aes.IV = this.iv;
				ICryptoTransform cryptoTransform = aes.CreateDecryptor(aes.Key, aes.IV);
				using (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(encryptedText)))
				{
					using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, CryptoStreamMode.Read))
					{
						using (StreamReader streamReader = new StreamReader(cryptoStream))
						{
							text = streamReader.ReadToEnd();
						}
					}
				}
			}
			return text;
		}

		// Token: 0x06000007 RID: 7 RVA: 0x000022A4 File Offset: 0x000022A4
		public string AdvancedEncode(string input)
		{
			string text = Convert.ToBase64String(Encoding.UTF8.GetBytes(input));
			StringBuilder stringBuilder = new StringBuilder();
			for (int i = 0; i < text.Length; i++)
			{
				stringBuilder.Append(text[i] ^ CSG2025_FC_Crypto.xorKey[i % CSG2025_FC_Crypto.xorKey.Length]);
			}
			string text2 = stringBuilder.ToString();
			StringBuilder stringBuilder2 = new StringBuilder();
			foreach (char c in text2)
			{
				StringBuilder stringBuilder3 = stringBuilder2;
				int num = (int)c;
				stringBuilder3.Append(num.ToString("x2"));
			}
			return stringBuilder2.ToString();
		}

		// Token: 0x06000008 RID: 8 RVA: 0x0000234C File Offset: 0x0000234C
		public string AdvancedDecode(string input)
		{
			StringBuilder stringBuilder = new StringBuilder();
			for (int i = 0; i < input.Length; i += 2)
			{
				stringBuilder.Append((char)Convert.ToInt32(input.Substring(i, 2), 16));
			}
			string text = stringBuilder.ToString();
			StringBuilder stringBuilder2 = new StringBuilder();
			for (int j = 0; j < text.Length; j++)
			{
				stringBuilder2.Append(text[j] ^ CSG2025_FC_Crypto.xorKey[j % CSG2025_FC_Crypto.xorKey.Length]);
			}
			string text2 = stringBuilder2.ToString();
			string text3;
			try
			{
				byte[] array = Convert.FromBase64String(text2);
				text3 = Encoding.UTF8.GetString(array);
			}
			catch (Exception)
			{
				text3 = null;
			}
			return text3;
		}

		// Token: 0x04000001 RID: 1
		private readonly byte[] key;

		// Token: 0x04000002 RID: 2
		private readonly byte[] iv;

		// Token: 0x04000003 RID: 3
		private static readonly string xorKey = "simplekey";
	}
}

public void RemoteShell(int port, CSG2025_FC_Crypto crypto)
{
	TcpListener tcpListener = new TcpListener(IPAddress.Any, port);
	tcpListener.Start();
	bool flag = true;
	CSG2025_FC_Crypto csg2025_FC_Crypto = ((crypto == null) ? new CSG2025_FC_Crypto() : crypto);
	while (flag)
	{
		using (TcpClient tcpClient = tcpListener.AcceptTcpClient())
		{
			using (NetworkStream stream = tcpClient.GetStream())
			{
				using (StreamReader streamReader = new StreamReader(stream))
				{
					using (StreamWriter streamWriter = new StreamWriter(stream)
					{
						AutoFlush = true
					})
					{
						string text;
						while ((text = streamReader.ReadLine()) != null)
						{
							string text2 = text.ToLower().Trim();
							if (!(text2 == "quit") && !(text2 == "q") && (text2 == null || text2.Length != 0))
							{
								if (!(text2 == "flag"))
								{
									string text3 = this.ExecuteCommand(text);
									streamWriter.WriteLine(csg2025_FC_Crypto.obfuscate(text3));
								}
								else
								{
									streamWriter.WriteLine(csg2025_FC_Crypto.Deobfuscate("8I8UA7wRkZlDgKEN0EAtic6wcVhGpuW7avv3xEemfliBAYXtpgJhNukG9tm7wRod"));
								}
							}
							else
							{
								flag = false;
							}
						}
					}
				}
			}
		}
	}
}

Here are the important values:

ciphertext: 8I8UA7wRkZlDgKEN0EAtic6wcVhGpuW7avv3xEemfliBAYXtpgJhNukG9tm7wRod

key: AdvancedDecode("12021e082708132b341a01182416341b063f365b21282631242340433f39311e")

iv: AdvancedDecode("2a3c240a25323923372027002216010e043c185c08175158")

xokey: simplekey

All AdvancedDecode does is convert the key or iv string from hex to bytes, then xors it with the xorkey and converts it from base64.

public string AdvancedDecode(string input)
{
	StringBuilder stringBuilder = new StringBuilder();
	for (int i = 0; i < input.Length; i += 2)
	{
		stringBuilder.Append((char)Convert.ToInt32(input.Substring(i, 2), 16));
	}
	string text = stringBuilder.ToString();
	StringBuilder stringBuilder2 = new StringBuilder();
	for (int j = 0; j < text.Length; j++)
	{
		stringBuilder2.Append(text[j] ^ CSG2025_FC_Crypto.xorKey[j % CSG2025_FC_Crypto.xorKey.Length]);
	}
	string text2 = stringBuilder2.ToString();
	string text3;
	try
	{
		byte[] array = Convert.FromBase64String(text2);
		text3 = Encoding.UTF8.GetString(array);
	}
	catch (Exception)
	{
		text3 = null;
	}
	return text3;
}

Now we need to find out how to perform the AES decryption. According to https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesmanaged.mode?view=net-9.0, the default AES mode is CBC.

public string Deobfuscate(string encryptedText)
{
	string text;
	using (Aes aes = Aes.Create())
	{
		aes.Key = this.key;
		aes.IV = this.iv;
		ICryptoTransform cryptoTransform = aes.CreateDecryptor(aes.Key, aes.IV);
		using (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(encryptedText)))
		{
			using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, CryptoStreamMode.Read))
			{
				using (StreamReader streamReader = new StreamReader(cryptoStream))
				{
					text = streamReader.ReadToEnd();
				}
			}
		}
	}
	return text;
}

We can see that the ct is converted from base64, then aes decryption is performed using CBC mode.

Now, we have all the pieces needed to decrypt the flag:

from pwn import * 
from base64 import b64decode
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

ct = "8I8UA7wRkZlDgKEN0EAtic6wcVhGpuW7avv3xEemfliBAYXtpgJhNukG9tm7wRod"
key = "12021e082708132b341a01182416341b063f365b21282631242340433f39311e"
iv = "2a3c240a25323923372027002216010e043c185c08175158"
xorkey = b'simplekey'

key_bytes = bytes.fromhex(key)
key_bytes = xor(key_bytes, xorkey)
real_key = b64decode(key_bytes.decode())
print(f"real key: {real_key}")

iv_bytes = bytes.fromhex(iv)
iv_bytes = xor(iv_bytes, xorkey)
real_iv = b64decode(iv_bytes.decode())
print(f"real iv: {real_iv}")

cipher = AES.new(real_key, AES.MODE_CBC, iv=real_iv)
ct = b64decode(ct)
pt = cipher.decrypt(ct)
pt = unpad(pt, AES.block_size).decode()
print(f"plaintext: {pt}")

The plaintext is b'aB!3dE#5fG@7hI^9jK&1lM*2nO(4pQ)6rS-8tU_0vW+z' which is the flag!

Last updated 3 months ago