Cold Workspace

The provided file is a .dmp memory dump, but Volatility does not parse it correctly with windows.info. To investigate further, I first inspected the file header with xxd cold-workspace.dmp | head -4. The header looked unusual, which suggested that the dump was not a standard crash dump and that I would need to inspect it manually instead of relying only on Volatility.

I then searched the dump for interesting strings and recovered a PowerShell command showing that encrypt_flag.ps1 had been executed from the analyst’s desktop. Inspecting the recovered script content showed that flag.jpg was read from disk, encrypted, deleted, and that the resulting encrypted data was stored in environment variables.

strings cold-workspace.dmp | vim -

The dump exposed the three values needed to reverse the encryption: ENCD for the ciphertext, ENCK for the encryption key, and ENCV for the IV. Since the key is 32 bytes long and the IV is 16 bytes long, the algorithm matches AES-256-CBC

Using these recovered values, I wrote a short Python script with Crypto.Cipher.AES to base64-decode the key, IV, and ciphertext, then decrypt the data in CBC mode. Running the script recovered the original contents of flag.jpg, which revealed the flag.

from Crypto.Cipher import AES
import base64

ENCD = "S4wX8ml7/f9C2ffc8vENqtWw8Bko1RAhCwLLG4vvjeT2iJ26nfeMzWEyx/HlK1KmOhIrSMoWtmgu2OKMtTtUXddZDQ87FTEXIqghzCL6ErnC1+GwpSfzCDr9woKXj5IzcU2C/Ft5u705bY3b6/Z/Q/N6MPLXV55pLzIDnO1nvtja123WWwH54O4mnyWNspt5"
ENCK = "Ddf4BCsshqFHJxXPr5X6MLPOGtITAmXK3drAqeZoFBU="
ENCV = "xXpGwuoqihg/QHFTM2yMxA=="

key = base64.b64decode(ENCK)
data = base64.b64decode(ENCD)
iv = base64.b64decode(ENCV)

result = AES.new(key, AES.MODE_CBC, iv).decrypt(data)

print(result)