Nullcon HackIM 2015: Forensics 500 writeup

To complete the level I have to find the size of a pagefile stored inside a 4Gb file.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

First of all I tried to understand what kind of file is this:

Nullcon HackIM 2015: Forensics 500 writeup

python filehunter.py -l Image

ELF at the beginning, FileHunter reveals some more info about it:

python filehunter.py -d 0 ELF Image

python filehunter.py -d 0 ELF Image

Hmm, the type of the first three entries is ok but the last one seems to be odd. What’s ‘pmem’?
Looking at the start offset I hoped to find a familiar header:

python filehunter.py -sb 0x7ff7e120 Image

python filehunter.py -sb 0x7ff7e120 Image

WinPMEM was used to dump memory, this tool can also acquire pagefile and it’s included inside Rekall Memory Forensic Framework. To get the right answer for this forensics level I used Rekall:

rekal.exe -f Image / pagefiles

rekal.exe -f Image / pagefiles

‘-f’ option is used to load the image file. Once the file has been loaded I tried the ‘pagefiles’ command. Rekall is able to show the size of the pagefile: 2146951168

Flag is: flag{2146951168}

PS. look at the end of the Image file, there’s another pmem header showing the answer. 500 points in few seconds… easy money!

# PMEM
---
PreviousHeader: 0x7ff7e120
PagefileOffset: 0x7ff7e1f5
PagefileSize: 0x7ff7e000

By admin