Introduction

Useful cheatsheet

  1. https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html

  2. https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html

For most of the logical forensic question, they will ask you to find Indicator of Compromises (IOCs), timestamp, filename, registry and etc. that relate to that incident.

Flags could be include of:

  1. URLs

  2. IP Address

  3. Filename

  4. Registry

  5. Username

  6. Domain name

  7. Timestamp

  8. Process information

  9. Command executed

  10. Hash

  11. Password

  12. And many more!

Beside that, several CTF might embed a full word of flag such as "FLAG{This_Is_The_Flag}". But this way much easier for participant to just strings and grep the keyword, which makes challenge creator encoded the strings such as using base64 or encrypt it using encryption algorithm to avoid direct flag being discovered by strings command. So, it depend on the challenge creator itself.

Artifacts

In the forensics industry, we have a lot type of artifacts. While in CTF, the organizer likely will supposedly gives:

  1. E01 file

  2. KAPE Triage file such as Registry, Prefetch, SRUDB.dat

  3. Memory dump

  4. Log file

Things to do during CTF

  1. Prepare a right tool and knowing how to use it

  2. Having a knowledge about the given artifacts

  3. Do quick analysis and find the flag

Forensics tools for CTF

Initial analysis

  • File command, TRiD

  • Strings, FLOSS

  • base64dump, XORSearch

Disk image

  • Autopsy

  • FTK Imager

  • Arsenal Image Mounter

  • mount command (Linux)

KAPE extracted files

  • Eric Zimmerman

Memory dump

  • MemProcFS

  • Volatility3 and Volatily Workbench

  • Evtxtract

Registry

  • Regripper

  • Registry Explorer

Event logs

  • Event log Explorer

  • Log scanner such as Hayabusa

Browser files

  • DBBrowser

Other artifacts

  • WMI Forensics

  • BMC Tools

  • USB Detective

  • SRUM dump

PreviousIntroductionNextKAPE Triage

Last updated