Memory DumpAnalysis in Capture The Flag: Using Volatility 3 to Extract Hidden Files

Abstract

The field of study that examines how to uncover, collect, analyze, and present digital evidence from electronic devices is called computer forensics. This research focuses on the analysis of memory dumps in the Capture The Flag (CTF) cybersecurity competition with the aim of uncovering hidden files that may be concealed in memory by an attacker. Conducting analysis on memory dumps is an important technique in digital forensics and security incident investigation to uncover suspicious activities and hidden evidence that is not available on storage media. The Volatility Framework is utilized as the main framework for analyzing memory dumps. The analysis process adopts the general stages of the computer forensics investigation model, including acquisition, analysis, and extraction. Various Volatility plugins and modules, such as imageinfo, pslist, cmdline, filescan, grep, and dumpfiles, are optimized to identify suspicious processes, locations of hidden files, and passwords required to open encrypted files. This research shows that the Volatility Framework is an effective memory forensics tool for extracting important information from memory dumps, including hidden files, which is highly useful in the context of cybersecurity competitions such as Capture The Flag (CTF).