#Forensics

While running the image through stegsolve/stegonline or manipulating the pixels in your favourite image editor won’t work, a hex editor should show you that the data portion of the bitmap contains more than two distinct hex values. Checking the image properties should also indicate that ishihara.bmp is a 16-color bitmap image, and as such, each hex value denotes a different colour. Hence, we know that the image contains a wider range of colours than are being shown....

Looking at the .mem file extension, memory forensics - and more specifically volatility - seems like it’s going to be our friend here. Starting with volatility -f image.mem imageinfo we get Win7SP1x64 as our top suggested image profile (also confirming that we’ve got a valid dump). Using one of volatility’s coolest features we can use mkdir shots && volatility -f image.mem --profile=Win7SP1x64 screenshot --dump-dir=shots to get the following wire-frame screenshot from memory....