Which memory profile best fits the system?
Win8SP0x64
Win7SP1x86
VistaSP1x64
Win7SP0x86
Win10x86
Win7SP1x64
WinXPSP1x64
Win10x64
Running the imageinfo command through Volatility we see the first suggested profile is Win7SP1x64.
What is the LM hash of the user's account?
Using Volatility again we can use the plugin hashdump to pull out the password hash information:
We can see that Warren's LM hash comes right after his user RID of 1000, so it is "aad3b435b51404eeaad3b435b51404ee".
What is Warren's Ignition Casino password? (Case Sensitive!!!!)
Pulling in the memory image into Bulk Extractor, we can pull out email address strings and surrounding text. Knowing we are looking for something related to Ignition Casino, we can do a quick search from the output for "ignition" and see what was the password, WHbigboy123.
It seems like Warren may have let his addictions slip into his work life... Find the program in question, recover it from memory, and give the SHA1 hash
With the hints of cards and poker, doing a quick userassist dump from Volatility we see he ran IgnitionCasino.exe.
We can then run filescan to pull out offset for the file in question.
Using the dumpfiles command with the offset we can pull out the file directly and hash it.
The SHA1 is 3B7CA3BB8D4FB2B6C287D6A247EFD7C457937A3E
When was IgnitionCasino.exe compiled? YYYY-MM-DD HH:MM:SS
Dropping IgnitionCasino.exe into PPEE we can see the compile date of 2020-02-12 12:01:35 from the file header.
