Writeup by n0tpresl3y for Analyse mémoire - Pour commencer (2/2)

intro forensics windows memory

October 18, 2025

Table of contents

Analysis Steps

1. Identifying Running Processes

To find processes that might be associated with document editing, we ran the following Volatility3 command:

vol -f /mnt/c/Users/cyrha/Desktop/demo/file.dmp windows.pslist
  • pslist enumerates all running processes in the memory dump.
  • From the output, we noticed a process named office.exe, which could potentially be the document editing software.

2. Checking Process Command Lines

To verify which process was actually opening the sensitive document, we examined the command line arguments of running processes:

vol -f /mnt/c/Users/cyrha/Desktop/demo/file.dmp windows.cmdline | grep -Ei 'soffice.exe'
  • windows.cmdline reveals the full command line used to start each process.
  • This command returned:
soffice.exe [SECRET-SF][TLP-RED]Plan FCSC 2026.odt

Findings

  • Document editing software: soffice.exe
  • Document name: [SECRET-SF][TLP-RED]Plan FCSC 2026.odt

Flag

Based on the findings and the required format, the flag is:

FCSC{soffice.exe:[SECRET-SF][TLP-RED]Plan FCSC 2026.odt}