CTF Forensics & Blockchain
Quick reference for forensics challenges. For detailed techniques, see supporting files.
Additional Resources
- •3d-printing.md - 3D printing forensics (PrusaSlicer binary G-code, QOIF, heatshrink)
- •windows.md - Windows forensics (registry, SAM, event logs, recycle bin)
- •network.md - Network forensics (PCAP, SMB3, WordPress, credentials)
Quick Start Commands
# File analysis file suspicious_file exiftool suspicious_file # Metadata binwalk suspicious_file # Embedded files strings -n 8 suspicious_file hexdump -C suspicious_file | head # Check magic bytes # Disk forensics sudo mount -o loop,ro image.dd /mnt/evidence fls -r image.dd # List files photorec image.dd # Carve deleted files # Memory forensics (Volatility 3) vol3 -f memory.dmp windows.info vol3 -f memory.dmp windows.pslist vol3 -f memory.dmp windows.filescan
Log Analysis
# Search for flag fragments grep -iE "(flag|part|piece|fragment)" server.log # Reconstruct fragmented flags grep "FLAGPART" server.log | sed 's/.*FLAGPART: //' | uniq | tr -d '\n' # Find anomalies sort logfile.log | uniq -c | sort -rn | head
Windows Event Logs (.evtx)
Key Event IDs:
- •1001 - Bugcheck/reboot
- •1102 - Audit log cleared
- •4720 - User account created
- •4781 - Account renamed
RDP Session IDs (TerminalServices-LocalSessionManager):
- •21 - Session logon succeeded
- •24 - Session disconnected
- •1149 - RDP auth succeeded (RemoteConnectionManager, has source IP)
import Evtx.Evtx as evtx
with evtx.Evtx("Security.evtx") as log:
for record in log.records():
print(record.xml())
When Logs Are Cleared
If attacker cleared event logs, use these alternative sources:
- •USN Journal ($J) - File operations timeline (MFT ref, timestamps, reasons)
- •SAM registry - Account creation from key last_modified timestamps
- •PowerShell history - ConsoleHost_history.txt (USN DATA_EXTEND = command timing)
- •Defender MPLog - Separate log with threat detections and ASR events
- •Prefetch - Program execution evidence
- •User profile creation - First login time (profile dir in USN journal)
Steganography
steghide extract -sf image.jpg zsteg image.png # PNG/BMP analysis stegsolve # Visual analysis
PDF Analysis
exiftool document.pdf # Metadata (often hides flags!) pdftotext document.pdf - # Extract text strings document.pdf | grep -i flag binwalk document.pdf # Embedded files
Memory Forensics
vol3 -f memory.dmp windows.info vol3 -f memory.dmp windows.pslist vol3 -f memory.dmp windows.cmdline vol3 -f memory.dmp windows.netscan vol3 -f memory.dmp windows.dumpfiles --physaddr <addr>
Disk Image Analysis
# Mount sudo mount -o loop,ro image.dd /mnt/evidence # Autopsy / Sleuth Kit fls -r image.dd # List files icat image.dd <inode> # Extract by inode # Carving photorec image.dd foremost -i image.dd
VM Forensics (OVA/VMDK)
# OVA = TAR archive tar -xvf machine.ova # 7z reads VMDK directly 7z l disk.vmdk | head -100 7z x disk.vmdk -oextracted "Windows/System32/config/SAM" -r
Windows Password Hashes
from impacket.examples.secretsdump import LocalOperations, SAMHashes
localOps = LocalOperations('SYSTEM')
bootKey = localOps.getBootKey()
sam = SAMHashes('SAM', bootKey)
sam.dump() # username:RID:LM:NTLM:::
# Crack with hashcat hashcat -m 1000 hashes.txt wordlist.txt
Bitcoin Tracing
- •Use mempool.space API:
https://mempool.space/api/tx/<TXID> - •Peel chain: ALWAYS follow LARGER output
- •Look for consolidation transactions
- •Round amounts (5.0, 23.0 BTC) indicate peels
Coredump Analysis
gdb -c core.dump (gdb) info registers (gdb) x/100x $rsp (gdb) find 0x0, 0xffffffff, "flag"
Uncommon File Magic Bytes
| Magic | Format | Extension | Notes |
|---|---|---|---|
OggS | Ogg container | .ogg | Audio/video |
RIFF | RIFF container | .wav,.avi | Check subformat |
%PDF | .pdf | Check metadata & embedded objects | |
GCDE | PrusaSlicer binary G-code | .g, .bgcode | See 3d-printing.md |
Common Flag Locations
- •PDF metadata fields (Author, Title, Keywords)
- •Image EXIF data
- •Deleted files (Recycle Bin
$Rfiles) - •Registry values
- •Browser history
- •Log file fragments
- •Memory strings
VMware Snapshot Forensics
Converting VMware snapshots to memory dumps:
# .vmss (suspended state) + .vmem (memory) → memory.dmp vmss2core -W path/to/snapshot.vmss path/to/snapshot.vmem # Output: memory.dmp (analyzable with Volatility/MemprocFS)
Malware hunting in snapshots (Armorless):
- •Check Amcache for executed binaries near encryption timestamp
- •Look for deceptive names (Unicode lookalikes:
ṙinstead ofr) - •Dump suspicious executables from memory
- •If PyInstaller-packed:
pyinstxtractor→ decompile.pyc - •If PyArmor-protected: use PyArmor-Unpacker
Ransomware key recovery via MFT:
- •Even if original files deleted, MFT preserves modification timestamps
- •Seed-based encryption: recover mtime → derive key
vol3 -f memory.dmp windows.mftparser | grep flag # mtime as Unix epoch → seed for PRNG → derive encryption key
TFTP Netascii Decoding
Problem: TFTP netascii mode corrupts binary transfers; Wireshark doesn't auto-decode.
Fix exported files:
# Replace netascii sequences:
# 0d 0a → 0a (CRLF → LF)
# 0d 00 → 0d (escaped CR)
with open('file_raw', 'rb') as f:
data = f.read()
data = data.replace(b'\r\n', b'\n').replace(b'\r\x00', b'\r')
with open('file_fixed', 'wb') as f:
f.write(data)
TLS Traffic Decryption via Weak RSA
Pattern (Tampered Seal): TLS 1.2 with TLS_RSA_WITH_AES_256_CBC_SHA (no PFS).
Attack flow:
- •Extract server certificate from Server Hello packet (Export Packet Bytes →
public.der) - •Get modulus:
openssl x509 -in public.der -inform DER -noout -modulus - •Factor weak modulus (dCode, factordb.com, yafu)
- •Generate private key:
rsatool -p P -q Q -o private.pem - •Add to Wireshark: Edit → Preferences → TLS → RSA keys list
After decryption:
- •Follow TLS streams to see HTTP traffic
- •Export objects (File → Export Objects → HTTP)
- •Look for downloaded executables, API calls
Browser Credential Decryption
Chrome/Edge Login Data decryption (requires master_key.txt):
from Crypto.Cipher import AES
import sqlite3, json, base64
# Load master key (from Local State file, DPAPI-protected)
with open('master_key.txt', 'rb') as f:
master_key = f.read()
conn = sqlite3.connect('Login Data')
cursor = conn.cursor()
cursor.execute('SELECT origin_url, username_value, password_value FROM logins')
for url, user, encrypted_pw in cursor.fetchall():
# v10/v11 prefix = AES-GCM encrypted
nonce = encrypted_pw[3:15]
ciphertext = encrypted_pw[15:-16]
tag = encrypted_pw[-16:]
cipher = AES.new(master_key, AES.MODE_GCM, nonce=nonce)
password = cipher.decrypt_and_verify(ciphertext, tag)
print(f"{url}: {user}:{password.decode()}")
Common Encodings
echo "base64string" | base64 -d echo "hexstring" | xxd -r -p # ROT13: tr 'A-Za-z' 'N-ZA-Mn-za-m'
WMI Persistence Analysis
Pattern (Backchimney): Malware uses WMI event subscriptions for persistence (MITRE T1546.003).
Analysis tool:
# PyWMIPersistenceFinder on OBJECTS.DATA file python PyWMIPersistenceFinder.py OBJECTS.DATA
What to look for:
- •FilterToConsumerBindings with CommandLineEventConsumer
- •Base64-encoded PowerShell in consumer commands
- •Event filters triggered on system events (logon, timer)
Deleted Partition Recovery
Pattern (Till Delete Do Us Part): USB image with deleted partition table.
Recovery workflow:
# Check for partitions fdisk -l image.img # Shows no partitions # Recover partition table testdisk image.img # Interactive recovery # Or use kpartx to map partitions kpartx -av image.img # Maps as /dev/mapper/loop0p1 # Mount recovered partition mount /dev/mapper/loop0p1 /mnt/evidence # Check for hidden directories ls -la /mnt/evidence # Look for .dotfolders find /mnt/evidence -name ".*" # Find hidden files
Flag hiding: Path components as flag chars (e.g., /.Meta/CTF/{f/l/a/g})
USB Audio Extraction from PCAP
Pattern (Talk To Me): USB isochronous transfers contain audio data.
Extraction workflow:
# Export ISO data with tshark tshark -r capture.pcap -T fields -e usb.iso.data > audio_data.txt # Convert to raw audio and import into Audacity # Settings: signed 16-bit PCM, mono, appropriate sample rate # Listen for spoken flag characters
Identification: USB transfer type URB_ISOCHRONOUS = real-time audio/video
PowerShell Ransomware Analysis
Pattern (Email From Krampus): PowerShell memory dump + network capture.
Analysis workflow:
- •Extract script blocks from minidump:
python power_dump.py powershell.DMP # Or: strings powershell.DMP | grep -A5 "function\|Invoke-"
- •
Identify encryption (typically AES-CBC with SHA-256 key derivation)
- •
Extract encrypted attachment from PCAP:
# Filter SMTP traffic in Wireshark # Export attachment, base64 decode
- •Find encryption key in memory dump:
# Key often generated with Get-Random, regex search:
strings powershell.DMP | grep -E '^[A-Za-z0-9]{24}$' | sort | head
- •Find archive password similarly, decrypt layers
Linux Attack Chain Forensics
Pattern (Making the Naughty List): Full attack timeline from logs + PCAP + malware.
Evidence sources:
# SSH session commands grep -A2 "session opened" /var/log/auth.log # User command history cat /home/*/.bash_history # Downloaded malware find /usr/bin -newer /var/log/auth.log -name "ms*" # Network exfiltration tshark -r capture.pcap -Y "tftp" -T fields -e tftp.source_file
Common malware pattern: AES-ECB encrypt + XOR with same key, save as .enc
Firefox Browser History (places.sqlite)
Pattern (Browser Wowser): Flag hidden in browser history URLs.
# Quick method strings places.sqlite | grep -i "flag\|MetaCTF" # Proper forensic method sqlite3 places.sqlite "SELECT url FROM moz_places WHERE url LIKE '%flag%'"
Key tables: moz_places (URLs), moz_bookmarks, moz_cookies
DTMF Audio Decoding
Pattern (Phone Home): Audio file contains phone dialing tones encoding data.
# Decode DTMF tones
sox phonehome.wav -t raw -r 22050 -e signed-integer -b 16 -c 1 - | \
multimon-ng -t raw -a DTMF -
Post-processing: Phone number may contain octal-encoded ASCII after delimiter (#):
# Convert octal groups to ASCII octal_groups = ["115", "145", "164", "141"] # M, e, t, a flag = ''.join(chr(int(g, 8)) for g in octal_groups)