BTLO – Investigation: Eric


Eric was new to computer science and his goal was to become a software developer. As part of his goal he started working on C programming on a Linux machine but unfortunately he executed malicious code because of which his credentials were compromised. Eric took his infected laptop to his cybersecurity professor who helped him in remediation. Professor took a RAM image and took Eric’s consent to teach this incident as a case study to the university students.

RAMDump and Linux profile were kept on Desktop.

Unlock your Linux Memory Analysis skills to help the professor in preparing a good training lab for his students.

Note: If you feel something is not working in the lab, it might be really not working or you need to figure out how to make it work.

Scenario Description
Restricted Content
This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.


It was my first time using volatility with linux and mostly was straightforward. There were a few instances I tried to dump files and I kept getting blank / null bytes filled files. Eventually just looking at the file manually helped reveal some answers!


No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *