# Introduction

## Useful cheatsheet

1. <https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html>
2. <https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html>

For most of the logical forensic question, they will ask you to find Indicator of Compromises (IOCs), timestamp, filename, registry and etc. that relate to that incident.

Flags could be include of:

1. URLs
2. IP Address
3. Filename
4. Registry
5. Username
6. Domain name
7. Timestamp
8. Process information
9. Command executed
10. Hash
11. Password
12. And many more!

Beside that, several CTF might embed a full word of flag such as "FLAG{This\_Is\_The\_Flag}". But this way much easier for participant to just *strings* and *grep* the keyword, which makes challenge creator encoded the strings such as using base64 or encrypt it using encryption algorithm to avoid direct flag being discovered by *strings* command. So, it depend on the challenge creator itself.

## Artifacts

In the forensics industry, we have a lot type of artifacts. While in CTF, the organizer likely will supposedly gives:

1. E01 file
2. KAPE Triage file such as Registry, Prefetch, SRUDB.dat
3. Memory dump
4. Log file

## Things to do during CTF

1. Prepare a right tool and knowing how to use it
2. Having a knowledge about the given artifacts
3. Do quick analysis and find the flag

## Forensics tools for CTF

| Initial analysis     | <ul><li>File command, TRiD</li><li>Strings, FLOSS</li><li>base64dump, XORSearch</li></ul>                |
| -------------------- | -------------------------------------------------------------------------------------------------------- |
| Disk image           | <ul><li>Autopsy</li><li>FTK Imager</li><li>Arsenal Image Mounter</li><li>mount command (Linux)</li></ul> |
| KAPE extracted files | <ul><li>Eric Zimmerman</li></ul>                                                                         |
| Memory dump          | <ul><li>MemProcFS</li><li>Volatility3 and Volatily Workbench</li><li>Evtxtract</li></ul>                 |
| Registry             | <ul><li>Regripper</li><li>Registry Explorer</li></ul>                                                    |
| Event logs           | <ul><li>Event log Explorer</li><li>Log scanner such as Hayabusa</li></ul>                                |
| Browser files        | <ul><li>DBBrowser</li></ul>                                                                              |
| Other artifacts      | <ul><li>WMI Forensics</li><li>BMC Tools</li><li>USB Detective</li><li>SRUM dump</li></ul><p></p>         |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.