CTF Forensics & Blockchain

Quick reference for forensics CTF challenges. Each technique has a one-liner here; see supporting files for full details.

Additional Resources

• 3d-printing.md - 3D printing forensics (PrusaSlicer binary G-code, QOIF, heatshrink)
• windows.md - Windows forensics (registry, SAM, event logs, recycle bin, USN journal, PowerShell history, Defender MPLog, WMI persistence, Amcache)
• network.md - Network forensics (PCAP, SMB3, WordPress, credentials, NTLMv2 cracking, USB HID steno, BCD encoding, HTTP file upload exfiltration)
• disk-and-memory.md - Disk/memory forensics (Volatility, disk mounting/carving, VM/OVA/VMDK, coredumps, deleted partitions, ZFS, VMware snapshots, ransomware analysis, GPT GUID encoding, VMDK sparse parsing)
• steganography.md - Steganography (binary border stego, PDF multi-layer stego, FFT frequency domain, DTMF audio, SSTV+LSB, SVG keyframes, PNG reorder, file overlays)
• linux-forensics.md - Linux/app forensics (log analysis, Docker image forensics, attack chains, browser credentials, Firefox history, TFTP, TLS weak RSA, USB audio, Git directory recovery)
• signals-and-hardware.md - Hardware signal decoding with decode code (VGA frame parsing, HDMI TMDS symbol decode, DisplayPort 8b/10b + LFSR descrambler), Voyager Golden Record audio, Flipper Zero .sub files

Quick Start Commands

# File analysis
file suspicious_file
exiftool suspicious_file     # Metadata
binwalk suspicious_file      # Embedded files
strings -n 8 suspicious_file
hexdump -C suspicious_file | head  # Check magic bytes

# Disk forensics
sudo mount -o loop,ro image.dd /mnt/evidence
fls -r image.dd              # List files
photorec image.dd            # Carve deleted files

# Memory forensics (Volatility 3)
vol3 -f memory.dmp windows.info
vol3 -f memory.dmp windows.pslist
vol3 -f memory.dmp windows.filescan

See disk-and-memory.md for full Volatility plugin reference, VM forensics, and coredump analysis.

Log Analysis

grep -iE "(flag|part|piece|fragment)" server.log     # Flag fragments
grep "FLAGPART" server.log | sed 's/.*FLAGPART: //' | uniq | tr -d '\n'  # Reconstruct
sort logfile.log | uniq -c | sort -rn | head         # Find anomalies

See linux-forensics.md for Linux attack chain analysis and Docker image forensics.

Windows Event Logs (.evtx)

Key Event IDs:

• 1001 - Bugcheck/reboot
• 1102 - Audit log cleared
• 4720 - User account created
• 4781 - Account renamed

RDP Session IDs (TerminalServices-LocalSessionManager):

• 21 - Session logon succeeded
• 24 - Session disconnected
• 1149 - RDP auth succeeded (RemoteConnectionManager, has source IP)

import Evtx.Evtx as evtx
with evtx.Evtx("Security.evtx") as log:
    for record in log.records():
        print(record.xml())

See windows.md for full event ID tables, registry analysis, SAM parsing, USN journal, and anti-forensics detection.

When Logs Are Cleared

If attacker cleared event logs, use these alternative sources:

1. USN Journal ($J) - File operations timeline (MFT ref, timestamps, reasons)
2. SAM registry - Account creation from key last_modified timestamps
3. PowerShell history - ConsoleHost_history.txt (USN DATA_EXTEND = command timing)
4. Defender MPLog - Separate log with threat detections and ASR events
5. Prefetch - Program execution evidence
6. User profile creation - First login time (profile dir in USN journal)

See windows.md for detailed parsing code and anti-forensics detection checklist.

Steganography

steghide extract -sf image.jpg
zsteg image.png              # PNG/BMP analysis
stegsolve                    # Visual analysis

• Binary border stego: Black/white pixels in 1px image border encode bits clockwise
• FFT frequency domain: Image data hidden in 2D FFT magnitude spectrum; try np.fft.fft2 visualization
• DTMF audio: Phone tones encoding data; decode with multimon-ng -a DTMF
• Multi-layer PDF: Check hidden comments, post-EOF data, XOR with keywords, ROT18 final layer
• SSTV + LSB: SSTV signal may be red herring; check 2-bit LSB of audio samples with stegolsb
• SVG keyframes: Animation keyTimes/values attributes encode binary/Morse via fill color alternation
• PNG chunk reorder: Fix chunk order: IHDR → ancillary → IDAT (in order) → IEND
• File overlays: Check after IEND for appended archives with overwritten magic bytes

See steganography.md for full code examples and decoding workflows.

PDF Analysis

exiftool document.pdf        # Metadata (often hides flags!)
pdftotext document.pdf -     # Extract text
strings document.pdf | grep -i flag
binwalk document.pdf         # Embedded files

Advanced PDF stego (Nullcon 2026 rdctd): Six techniques -- invisible text separators, URI annotations with escaped braces, Wiener deconvolution on blurred images, vector rectangle QR codes, compressed object streams (mutool clean -d), document metadata fields.

See steganography.md for full PDF steganography techniques and code.

Disk / VM / Memory Forensics

# Disk images
sudo mount -o loop,ro image.dd /mnt/evidence
fls -r image.dd && photorec image.dd

# VM images (OVA/VMDK)
tar -xvf machine.ova
7z x disk.vmdk -oextracted "Windows/System32/config/SAM" -r

# Memory (Volatility 3)
vol3 -f memory.dmp windows.pslist
vol3 -f memory.dmp windows.cmdline
vol3 -f memory.dmp windows.netscan
vol3 -f memory.dmp windows.dumpfiles --physaddr <addr>

# String carving
strings -a -n 6 memdump.bin | grep -E "FLAG|SSH_CLIENT|SESSION_KEY"

# Coredump
gdb -c core.dump  # info registers, x/100x $rsp, find "flag"

See disk-and-memory.md for full Volatility plugin reference, VM forensics, VMware snapshots, deleted partition recovery, ZFS forensics, and ransomware analysis.

Windows Password Hashes

# Extract with impacket, crack with hashcat -m 1000
python -c "from impacket.examples.secretsdump import *; SAMHashes('SAM', LocalOperations('SYSTEM').getBootKey()).dump()"

See windows.md for SAM details and network.md for NTLMv2 cracking from PCAP.

Bitcoin Tracing

• Use mempool.space API: https://mempool.space/api/tx/<TXID>
• Peel chain: ALWAYS follow LARGER output; round amounts indicate peels

Uncommon File Magic Bytes

Common Flag Locations

• PDF metadata fields (Author, Title, Keywords)
• Image EXIF data
• Deleted files (Recycle Bin $R files)
• Registry values
• Browser history
• Log file fragments
• Memory strings

WMI Persistence Analysis

Pattern (Backchimney): Malware uses WMI event subscriptions for persistence (MITRE T1546.003).

python PyWMIPersistenceFinder.py OBJECTS.DATA

• Look for FilterToConsumerBindings with CommandLineEventConsumer
• Base64-encoded PowerShell in consumer commands
• Event filters triggered on system events (logon, timer)

See windows.md for WMI repository analysis details.

Network Forensics Quick Reference

• TFTP netascii: Binary transfers corrupted; fix with data.replace(b'\r\n', b'\n').replace(b'\r\x00', b'\r')
• TLS weak RSA: Extract cert, factor modulus, generate private key with rsatool, add to Wireshark
• USB audio: Extract isochronous data with tshark -e usb.iso.data, import as raw PCM in Audacity
• NTLMv2 from PCAP: Extract server challenge + NTProofStr + blob from NTLMSSP_AUTH, brute-force

See network.md for SMB3 decryption, credential extraction, and linux-forensics.md for full TLS/TFTP/USB workflows.

Browser Forensics

• Chrome/Edge: Decrypt Login Data SQLite with AES-GCM using DPAPI master key
• Firefox: Query places.sqlite -- SELECT url FROM moz_places WHERE url LIKE '%flag%'

See linux-forensics.md for full browser credential decryption code.

Additional Technique Quick References

• Docker image forensics: Config JSON preserves ALL RUN commands even after cleanup. tar xf app.tar then inspect config blob. See linux-forensics.md.
• Linux attack chains: Check auth.log, .bash_history, recent binaries, PCAP. See linux-forensics.md.
• PowerShell ransomware: Extract scripts from minidump, find AES key, decrypt SMTP attachment. See disk-and-memory.md.
• Linux ransomware + memory dump: If Volatility is unreliable, recover AES key via raw-memory candidate scanning and magic-byte validation; re-extract zip cleanly to avoid missing files/false negatives. See disk-and-memory.md.
• Deleted partitions: testdisk or kpartx -av. See disk-and-memory.md.
• ZFS forensics: Reconstruct labels, Fletcher4 checksums, PBKDF2 cracking. See disk-and-memory.md.
• Hardware signals: VGA/HDMI TMDS/DisplayPort, Voyager audio, Flipper Zero. See signals-and-hardware.md.
• G-code visualization: Side projections (XZ/YZ) reveal text. See 3d-printing.md.
• Git directory recovery: gitdumper.sh for exposed .git dirs. See linux-forensics.md.

HTTP Exfiltration in PCAP

Quick path: tshark --export-objects http,/tmp/objects extracts uploaded files instantly. Check for multipart POST uploads, unusual User-Agent strings, and exfiltrated files (images with flag text). See network.md.

Common Encodings

echo "base64string" | base64 -d
echo "hexstring" | xxd -r -p
# ROT13: tr 'A-Za-z' 'N-ZA-Mn-za-m'

ROT18: ROT13 on letters + ROT5 on digits. Common final layer in multi-stage forensics. See linux-forensics.md for implementation.