Description
Jacky improved the BitLocker password, but you captured RAM while the drive was unlocked. Sift through the memory dump to recover the plaintext flag without brute-forcing the disk.
Setup
Decompress the memory dump and search it for picoCTF strings (or use Volatility/Autopsy to locate flagged artifacts).
gunzip memdump.mem.gzstrings memdump.mem | grep picoCTFSolution
- Step 1Scan the memory imageBecause the drive was mounted when the RAM dump was captured, plaintext copies of the flag remain in memory. `strings memdump.mem | grep picoCTF` reveals multiple hits.
Learn more
Memory forensics exploits the fact that when an encrypted volume is mounted, the operating system keeps decrypted data in RAM. The encryption key itself, decrypted file contents, and recently accessed strings all reside in physical memory for as long as the system is running. A RAM dump captured while BitLocker is unlocked therefore contains the plaintext of whatever files were recently read - regardless of how strong the disk password is.
This is the basis of the cold boot attack, a technique where an attacker physically cools RAM chips (slowing the decay of stored data), removes them from the running machine, and reads the contents in another system to extract encryption keys. Cold boot attacks have been demonstrated against BitLocker, FileVault, and LUKS. The defense is to power off machines completely before leaving them unattended in physically insecure environments.
The
stringstool works on memory dumps exactly as it does on executables - it scans raw bytes for printable sequences. Because RAM contains all running process memory, heap data, stack frames, and kernel buffers, it is a rich source of artifacts: passwords typed into terminals, browser history, decrypted file content, and cryptographic keys. This makes live memory acquisition a high priority in digital forensics. - Step 2Optional: use VolatilityVolatility 3's windows.memory.string plugin (or Autopsy's Volatility integration) can also search the dump for picoCTF, producing the same string.
Learn more
Volatility is the leading open-source memory forensics framework. Rather than treating a memory dump as a raw byte blob, Volatility understands Windows (and Linux/macOS) kernel structures and can reconstruct process lists, network connections, registry hives, loaded modules, and file artifacts from the dump. This structured approach is far more powerful than grep for complex investigations.
Key Volatility plugins for BitLocker investigations include
windows.bitlocker(extracts FVEK encryption keys directly from memory),windows.pslist(lists running processes), andwindows.filescan(finds file objects cached in memory). Recovering the Full Volume Encryption Key (FVEK) from memory allows mounting the disk even without knowing the user password.Autopsy is a GUI-based digital forensics platform that integrates Volatility as a plugin. It provides timeline analysis, keyword search, hash lookup, and artifact extraction in a unified interface used by law enforcement and corporate incident responders worldwide. The combination of Autopsy for disk artifacts and Volatility for memory artifacts covers most digital forensics investigations.
Flag
picoCTF{B1tl0ck3r_dr1v3_d3crypt3d_902...}
No password cracking is necessary because the RAM capture already contains the decrypted flag.