Mem_Ghost in the Drive
Memory forensics writeup for recovering a previous DumpIt memory capture filename from Windows RAM.
Overview
Mem_Ghost in the Drive required analysis of a Windows memory image to locate a previous memory capture that was still referenced in RAM. The expected answer was the filename of that previous capture, submitted using the event flag format.
Challenge Name: Mem_Ghost in the Drive
Category: Memory Forensics
Points: 150
Final Artifact: Previous DumpIt memory capture filename
Final Flag: ROBOFEST{2pac-20190626-122526.raw}
Objective
The goal was to recover the filename of a prior DumpIt memory capture from the memory image. Since the system was Windows-based, the investigation focused on UTF-16LE encoded strings, file paths, and artifacts containing DumpIt-style raw memory capture filenames.
Methodology
Windows file paths and command-line artifacts are commonly stored in memory as UTF-16LE strings. A normal ASCII strings pass can miss these artifacts, so the analysis used little-endian string mode and filtered for DumpIt-related paths and timestamped raw filenames.
strings -a -el -n 6 Shadow_Memory.raw \
| grep -iE 'dumpit|2pac-[0-9]{8}-[0-9]{6}\.raw'
Evidence
The string extraction produced multiple filename candidates. The strongest hit was a full path under the user profile Desktop DumpIt folder.
c:\users\eminem\desktop\dumpit\2pac-20190626-122526.raw
2PAC-20190629-072925.raw
2PAC-20190625-132823.raw
\Users\eminem\Desktop\DumpIt\2PAC-20190629-072925.raw
The June 29 filename corresponded to the current memory acquisition referenced by the scenario, so it was not the previous capture. The June 26 filename appeared as a complete DumpIt path, making it the strongest candidate.
Candidate Evaluation
2PAC-20190629-072925.raw Current acquisition timeframe; excluded as the previous capture.
2PAC-20190625-132823.raw Stale directory or MFT-style fragment; weaker context.
2pac-20190626-122526.raw Full path under c:\users\eminem\desktop\dumpit\; best-supported answer.
Cleaner Extraction
strings -a -el -n 6 Shadow_Memory.raw \
| grep -ioE '2pac-[0-9]{8}-[0-9]{6}\.raw' \
| sort -fu
2PAC-20190625-132823.raw
2pac-20190626-122526.raw
2PAC-20190629-072925.raw
Reproducible Python Extractor
#!/usr/bin/env python3
import re
from pathlib import Path
data = Path("Shadow_Memory.raw").read_bytes()
pattern = re.compile(
b"(?:[A-Za-z0-9_\\:\\.\\-]\x00){0,120}"
b"2\x00[Pp]\x00[Aa]\x00[Cc]\x00-\x00"
b"(?:[0-9]\x00){8}-\x00(?:[0-9]\x00){6}"
b"\.\x00[Rr]\x00[Aa]\x00[Ww]\x00"
)
hits = set()
for match in pattern.finditer(data):
text = match.group().decode("utf-16le", errors="ignore")
idx = text.lower().find("c:\\")
if idx == -1:
idx = text.lower().find("2pac-")
if idx != -1:
hits.add(text[idx:])
for hit in sorted(hits, key=str.lower):
print(hit)
Conclusion
The previous memory capture filename was 2pac-20190626-122526.raw. This conclusion is supported by the recovered full DumpIt path and by excluding the current June 29 acquisition artifact.
ROBOFEST{2pac-20190626-122526.raw}