This week was rather quick, but a slight departure from your standard memory forensics questions. I rather liked that and it gave me the chance to discover a new tool I’d never used before.
Question 1
Question: What is the IPv4 address that myaccount.google.com resolves to?
Hmm, I’d used all the network-related plugins on the last week’s set of questions, and hadn’t seen anything related to that URL. So I thought I’d be crafty and do a DNS lookup on myaccount.google.com. No luck. Worth a try.
I had read over a few of the writeups from last week’s CTF and several of them mentioned carving packets from the memory image and I had thought that was an interesting approach as I had never seen that before. So armed with that knowledge and a quick Google, I found this tool: CapLoader
I fired it up and sorted by Hostname…. Voila:
Answer: 172.217.10.238
Question 2
Question: What is the canonical name (cname) associated with Part 1?
The CName record is essentially an alias or a second record pointing to another URL. This makes changing IP addresses for well known domains or other things a bit easier. Well from the above screenshot you can see there are 2 URLs associated with that connection, so the answer is right there.
Answer: www3.l.google.com