Introduction
The supplied memory image was captured on a compromised machine, analyze it to answer questions (this is the same image for the four forensic tests, useless to download several times).
One of the machine’s users had several websites about an incident that involved a showbiz personality. The validation key is FirstnameLastname of this personality.
dump.gz (md5sum:1273931ce359f59bce95ce4507e1f4bf)
Informations
We must look information about a showbiz star in the user’s browser history.
At first, we will try to use our dear friend volatility to search in the IE and Firefox history.
Nothing here, so we will make an attempt by searching among the major search engines directly into the strings of the memory image:
strings dump | egrep ‘google|bing’
It gives some results but nothing concrete, test one last search engine:
strings dump | grep ‘yahoo’
And then what do we see in the output?
...
A https://fr.cinema.yahoo.com/actualite/crash-avion-harrison-ford-blesse-070221947.html?vp=1MzMEYQMwNjAzMTVfbW92aWVzX002aW5mb19oYXJyaXNvbl9mb3JkX2JsZXNzZV9jcmFzaF9hdmlvbl9pbmZfdmlkZW8EYWlkA2lkLTc1MTg4NQRjY29kZQNwX2ZyX2ZyX3BvMV9vcjFfZHcEY3BvcwMxBGcDNDI3YTI0OTctNWEyMC0zYzZhLWIxZmEtYWU1NDVlMWIzMjM1BGludGwDZnIEaXRjAzAEbHR4dANIYXJyaXNvbkZvcmRibGVzc8OpBHBrZ3YDNQRwb3MDMARyA1QwQzAzMTE2RDkyMzk5BHNlYwN0ZC1mZWF0BHNsawN0aHVtYmxpbmsEdGFyA2ZyLmNpbmVtYS55YWhvby5jb20EdGVzdAM5MDU-/RV=1/RE=1426840971/RH=aHNyZC55YWhvby5jb20-
...
Flag is “HarrisonFord“.