Not supported (Forensics)
The challenge was quite straightforward(mentioned in the challenge); it involved a memory dump file. Initially, I listed the running processes and identified the Notepad process, copying its PID:
1
vol -f memdump.mem windows.pslist.PsList
Subsequently, I dumped the content of that process:
1
vol -f memdump.mem windows.memmap.Memmap --pid 6028 --dump
Upon conducting some online research, I discovered that Notepad data stores in little-endian format:
1
strings -e l pid.6028.dmp| grep -in 'bhf'
Show some support by following me on Github
This post is licensed under CC BY 4.0 by the author.