Introduction
Useful cheatsheet
For most of the logical forensic question, they will ask you to find Indicator of Compromises (IOCs), timestamp, filename, registry and etc. that relate to that incident.
Flags could be include of:
URLs
IP Address
Filename
Registry
Username
Domain name
Timestamp
Process information
Command executed
Hash
Password
And many more!
Beside that, several CTF might embed a full word of flag such as "FLAG{This_Is_The_Flag}". But this way much easier for participant to just strings and grep the keyword, which makes challenge creator encoded the strings such as using base64 or encrypt it using encryption algorithm to avoid direct flag being discovered by strings command. So, it depend on the challenge creator itself.
Artifacts
In the forensics industry, we have a lot type of artifacts. While in CTF, the organizer likely will supposedly gives:
E01 file
KAPE Triage file such as Registry, Prefetch, SRUDB.dat
Memory dump
Log file
Things to do during CTF
Prepare a right tool and knowing how to use it
Having a knowledge about the given artifacts
Do quick analysis and find the flag
Forensics tools for CTF
Last updated