CyberDefenders: BlueTeam CTF Challenges

Brave

SHA1SUM	fa02a505471aeb89172f89cb27dd4e2eea14bb9e
Published	June 20, 2021
Author	DFIRScience
Size	1.2 GB
Tags	Volatility Memory Brave Winows

Instructions	Unzip the challenge (pass: cyberdefenders.org)

Your progress

0% Completed0/10 Questions

Your score

Last solve

A memory image was taken from a seized Windows machine. Analyze the image and answer the provided questions.

Tools:

#	Question	Weight	Solved
#1	What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)	25	305
Hint Report an issue

#2	What is the SHA256 hash value of the RAM image?	25	313
Hint Report an issue

#3	What is the process ID of "brave.exe"?	25	306
Hint Report an issue

#4	How many established network connections were there at the time of acquisition? (number)	25	280
Hint Report an issue

#5	What FQDN does Chrome have an established network connection with?	50	244
Hint Report an issue

#6	What is the MD5 hash value of process memory for PID 6988?	50	250
Hint Report an issue

#7	What is the word starting at offset 0x45BE876 with a length of 6 bytes?	50	237
Hint Report an issue

#8	What is the creation date and time of the parent process of "powershell.exe"? (YYYY-MM-DD HH:MM:SS)	50	253
Hint Report an issue

#9	What is the full path and name of the last file opened in notepad?	75	239
Hint Report an issue

#10	How long did the suspect use Brave browser? (hh:mm:ss)	75	222
Hint Report an issue