Day 11
Volatility Foundation GitHub Repository
What is the Windows version number that the memory image captured?
Section titled “What is the Windows version number that the memory image captured?”cmnatic@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.infoVolatility 3 Framework 2.4.1Progress: 100.00 PDB scanning finishedVariable Value
Kernel Base 0xf803218a8000DTB 0x1ad000Symbols file:///home/ubuntu/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A4043-1.json.xzIs64Bit TrueIsPAE Falselayer_name 0 WindowsIntel32ememory_layer 1 FileLayerKdVersionBlock 0xf80321cd23c8Major/Minor 15.18362MachineType 34404KeNumberProcessors 4SystemTime 2022-11-23 10:15:56NtSystemRoot C:\WindowsNtProductType NtProductWinNtNtMajorVersion 10NtMinorVersion 0PE MajorOperatingSystemVersion 10PE MinorOperatingSystemVersion 0PE Machine 34404PE TimeDateStamp Mon Apr 14 21:36:50 2104-> Major version = 10
What is the name of the binary/gift that secret Santa left?
Section titled “What is the name of the binary/gift that secret Santa left?”cmnatic@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.psscanVolatility 3 Framework 2.4.1Progress: 100.00 PDB scanning finishedPID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
2040 5888 mysterygift.ex 0xc0090b52e4c0 3 - 1 False 2022-11-23 10:15:19.000000 N/A DisabledWhat is the Process ID (PID) of this binary?
Section titled “What is the Process ID (PID) of this binary?”Answer was given in the previous command
Dump the contents of this binary. How many files are dumped?
Section titled “Dump the contents of this binary. How many files are dumped?”python3 vol.py -f workstation.vmem windows.dumpfiles --pid 2040