Shearwater AusCert 2016 CTF

GAME OF MEMORY (500 pts) The 1337 and 100 work for the same company, they sit across from each other on the same network. 100 is working on building a challenge for the Shearwater’s AusCert CTF. 1337 wasn’t allowed to be part of the build team. Being spiteful, they decide to sabotage the build team. 100 needs the proof that 1337 sabotaged the team, can you help find the proof? Question 1: 100 pts What is the malicious process PID, at what time did the malicious process PID start and what is the parent process PID? The flag must be...

Analysing Android memory Dump

This post is just about analysing an Android memory dump which was taken when device was doing something malicious but not known to me. As I will go through the memory I’ll try to go as-deep-as I can to figure what malicious activities were going-on and how and when they were executed. Memory Dump – “Will Provide Link” Prerequisites: Linux Machine (I’ll be using my custom pentestOS linuxmint) Volatility with goldfish profile configured Analysing Memory: Started analysing by dumping list of processes from the memory dump. “vol.py -f memory.dmp –profile=Linuxgoldfish-2_6_29ARM linux_pslist” pslist-output.txt – Link-pslist(inactive) Process with PIDs 47, 1255, 1454...