CTF inter iut 2018 - Find Evil Morty (Forensic)

Récupérer un fichier sur le bureau de l’utilisateur
evilmorty.dmp

Show me what you got

switch :: ~/CTF/inter_iut/morty » file evilmorty.dmp
evilmorty.dmp: MS Windows 32bit crash dump, PAE, full dump

switch :: ~/CTF/inter_iut/morty » volatility -f evilmorty.dmp --profile=Win7SP1x86_23418 filescan | grep Desktop
Volatility Foundation Volatility Framework 2.6
0x0000000015610038      2      1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop
0x00000000188c8438      1      1 R--r-- \Device\HarddiskVolume2\Users\Bonjour\Desktop\confidentiel.pdf

switch :: ~/CTF/inter_iut/morty » volatility -f evilmorty.dmp --profile=Win7SP1x86_23418 dumpfiles -Q 0x00000000188c8438 -D .

switch :: ~/CTF/inter_iut/morty » file file.None.0x84f03378.dat
file.None.0x84f03378.dat: PDF document, version 1.4