We’re testing our Memory Analysis package (currently in beta) against various challenges available online.

We found this challenge on the Memory Forensic site, so credit goes to them for highlighting it and to CyberDefenders for creating it in the first place.

The scenario is as follows:

“A SOC analyst took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.”

While there are many questions to be answered in this CTF challenge, we limit ourselves to extracting the flag from the user-mode memory of the Notepad process.