MemLabs Writeup using Volatility Labs 4–6

Here we continue with the MemLabs CTFs…

Lab 4 — Obsession: My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me.

  • NOTEPAD.EXE (PID 2724), notepad.exe (PID 2744), NOTEPAD.EXE (PID 1388) and NOTEPAD.EXE (PID 2056)
  • explorer.exe (PID 1580)
  • svchost.exe (PID 2632)
  • WinRAR.exe (PID 2924)
  • WinRAR.exe (PID 3716)
  • GoogleCrashHan (PID 942, 864)
  • firefox.exe (PID 3316, 2968)
  • unnamed process (PID 459832)
  • GoogleUpdate.e (PID 2256)

Incident Response and Threat Hunting things.