BOUZELIFA Mohammed Amine

NIT Breach 2 — Memory Forensics Writeup category: forensics / memory Analysis Tooling: Volatility 3 Image: nit_breach_2.raw (Ubuntu Linux memory dump) Flag: nmctf{num1d14n_m3m0ry_s3cr3t_7c2b8a} first instincts I ran strings on the image, grepped for “nmctf{” but found nothing, afterwards i ran strings and grepped for “classified_secrets” strings -t d nit_breach_2.raw | grep -iE "classified_secrets" got: 321038056 ./nit_numidian_db/classified_secrets next thing i did was regex scan for “classified_secrets” python3 vol.py -f nit_breach_2.raw linux.vmaregexscan.VmaRegExScan --pattern "classified_secrets" 3105 mariadbd 0x791e544ec4ac classified_secrets 63 6c 61 73 73 69 66 69 65 64 5f 73 65 63 72 65 74 73 aha! the process is mariadbd, with PID 3105 now we know wassup, we start our digging. Step 1 — Find the MariaDB process (PsList) python3 vol.py -f nit_breach_2.raw linux.pslist.PsList | grep -iE "maria|mysql" 0x8b10029f5200 3105 3105 1 mariadbd ... 2026-06-18 17:50:00 UTC Disabled made sure mariadb is running as: mariadbd, PID 3105. ...