Deleted Evidence (TexSaw 2025)

The goal was to recover the last flag generated by an executable (generator.exe), which used seed files (seed_XX.txt). The final solution required finding the last created seed, generating the flag and appending the seed's creation timestamp (YYYY-MM-DD_Hr:Min:Sec).

Step‑1: System Information (windows.info)

The first step is to understand the environment from which the memory dump originated. We use the windows.info plugin in Volatility 3.

vol -f evidence.mem windows.info

Output:

---

Step‑2: Locating Seed Files (windows.filescan)

Next, we search for traces of the seed files within the memory dump using windows.filescan, filtering for the expected naming pattern. As sometimes I have to use filescan a lot so I always save its output to a text file and run strings on it later.

# Savin filescan output to files.txt
vol -f evidence.mem windows.filescan > files.txt

# Scan for files matching the seed pattern
strings files.txt | grep -i "seed"

This confirms the presence of multiple seed files and provides their virtual addresses. We note these virtual addresses for potential extraction later.

---

Step‑3: Locating the Generator (windows.filescan)

We also need the generator.exe file. Since the seeds were found in \Users\user\Documents\Flags\, we scan for files in that directory, expecting to find the generator there as well.

# Scan for files within the Flags directory
strings files.txt | grep -i "Flags"

Output (filescan_generator.txt):

We have located the generator executable in memory and obtained its virtual address (0xe78e757c07c0).

---

Step‑4: Extracting the Generator (windows.dumpfiles)

Now, we extract generator.exe from the memory dump using its virtual address.

# Dump the file using its virtual address
vol -f evidence.mem windows.dumpfiles --virtaddr 0xe78e757c07c0

# Verify the file type
file generator.exe

Output:

The generator executable has been successfully extracted

---

Step‑5: Confirming the Latest Seed (windows.mftscan)

To find the last created seed, we refer to the Master File Table (MFT) data using windows.mftscan.MFTScan. This provides filesystem timestamps.

# Run mftscan and filter for seed text files
vol -f evidence.mem windows.mftscan.MFTScan | grep -i 'seed' | grep -i '.txt'

Output:

By comparing the File Creation timestamps (the first YYYY-MM-DD HH:MM:SS column), we confirm that seed_89.txt has the latest timestamp: 2025-03-26 02:08:23 UTC. This is the seed file we need to extract and use.

---

Step‑6: Extracting the Target Seed (windows.dumpfiles)

We now extract the identified latest seed file (seed_89.txt) using its virtual address found back in Step 2.

# Dump the specific seed file using its virtual address
vol -f evidence.mem windows.dumpfiles --virtaddr 0xe78e740daa70

Output:

---

Step‑7: Retrieving Seed Content (strings)

To use the seed with the generator, we need its actual content. We use the strings command on the extracted file.

strings seed_89.txt

Output:

---

Step‑8: Generating the Flag

I moved the generator.exe to my windows host machine and executed it with the seed_89.txt.

Output:

The generator creates a file called flag.txt.

---

Step‑9: Constructing the Final Flag

The final step is to combine the generated flag with the creation timestamp of seed_89.txt (recorded in Step 5), formatted as YYYY-MM-DD_Hr:Min:Sec.

• Generated Flag: texsaw{0f59ede3e09e5a4d18b480be9e56f3c2aa1ed0b67287f0bc60ca0b2bce62ac28}

• Seed Creation Timestamp (MFT): 2025-03-26 02:08:23 UTC

• Formatted Timestamp: 2025-03-26_02:08:23

Final Flag:

texsaw{0f59ede3e09e5a4d18b480be9e56f3c2aa1ed0b67287f0bc60ca0b2bce62ac28_2025-03-26_02:08:23}