Introduction

Useful cheatsheet

1. https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html

2. https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html

For most of the logical forensic question, they will ask you to find Indicator of Compromises (IOCs), timestamp, filename, registry and etc. that relate to that incident.

Flags could be include of:

1. URLs

2. IP Address

3. Filename

4. Registry

5. Username

6. Domain name

7. Timestamp

8. Process information

9. Command executed

10. Hash

11. Password

12. And many more!

Beside that, several CTF might embed a full word of flag such as "FLAG{This_Is_The_Flag}". But this way much easier for participant to just strings and grep the keyword, which makes challenge creator encoded the strings such as using base64 or encrypt it using encryption algorithm to avoid direct flag being discovered by strings command. So, it depend on the challenge creator itself.

Artifacts

In the forensics industry, we have a lot type of artifacts. While in CTF, the organizer likely will supposedly gives:

1. E01 file

2. KAPE Triage file such as Registry, Prefetch, SRUDB.dat

3. Memory dump

4. Log file

Things to do during CTF

1. Prepare a right tool and knowing how to use it

2. Having a knowledge about the given artifacts

3. Do quick analysis and find the flag

Forensics tools for CTF

Initial analysis	File command, TRiD Strings, FLOSS base64dump, XORSearch
Disk image	Autopsy FTK Imager Arsenal Image Mounter mount command (Linux)
KAPE extracted files	Eric Zimmerman
Memory dump	MemProcFS Volatility3 and Volatily Workbench Evtxtract
Registry	Regripper Registry Explorer
Event logs	Event log Explorer Log scanner such as Hayabusa
Browser files	DBBrowser
Other artifacts	WMI Forensics BMC Tools USB Detective SRUM dump