Volatile
The challenge hinted at the need to use the tool Volatility.
First we run volatility -f memdump.raw imageinfo on the dump to get the OS version. We then use the cmdscan command to check the most recently run commands.
One of these is
JCTF{nice_volatility_tricks_bro}
Last updated