We’re testing our Memory Analysis package (currently in beta) against various challenges available online.

We found this challenge on the Memory Forensic site, so credit goes to them for highlighting it and to CyberDefenders for creating it in the first place.

The scenario is as follows:

“A company’s web server has been breached through their website. Our team arrived just in time to take a forensic image of the running system and its memory for further analysis. As a soc analyst, you are tasked with mounting the image to determine how the system was compromised and the actions/commands the attacker executed.”

While there are many questions to answer in this CTF challenge, we focus on extracting the shellcode from the Apache logs. One particularly cool aspect of this challenge is that Cerbero Suite can handle both the analysis of the memory dump and the mounting of the NTFS partition to inspect the logs within the same workspace.