Get the FREE Ultimate OpenClaw Setup Guide →

ctf-forensics

Flagged

{"isSafe":false,"isSuspicious":true,"riskLevel":"high","findings":[{"category":"shell_command","severity":"high","description":"Credential dumping via Impacket: Python snippet dumping Windows SAM hashes using LocalOperations.getBootKey() and SAM file access (unsafe if misused outside forensics/incident response).","evidence":"import SAMHashes('SAM', LocalOperations('SYSTEM').getBootKey()).dump()"},{"category":"shell_command","severity":"high","description":"Credential cracking setup: Using hashcat to crack dumped SAM hashes (-m 1000) after extraction, which enables password credential compromise.","evidence":"hashcat -m 1000"}],"summary":"The content includes high-risk credential-access techniques (Windows SAM hash extraction and subsequent cracking). While part of forensics/incident response, these patterns could be misused for unauthorized credential access. Consider redacting or clearly labeling such sections, or providing safer, abstracted examples for teaching purposes."}

npx machina-cli add skill ljagiello/ctf-skills/ctf-forensics --openclaw
Files (1)
SKILL.md
12.4 KB

CTF Forensics & Blockchain

Quick reference for forensics CTF challenges. Each technique has a one-liner here; see supporting files for full details.

Additional Resources

  • 3d-printing.md - 3D printing forensics (PrusaSlicer binary G-code, QOIF, heatshrink)
  • windows.md - Windows forensics (registry, SAM, event logs, recycle bin, USN journal, PowerShell history, Defender MPLog, WMI persistence, Amcache)
  • network.md - Network forensics (PCAP, SMB3, WordPress, credentials, NTLMv2 cracking, USB HID steno, USB HID mouse/pen drawing recovery, BCD encoding, HTTP file upload exfiltration, packet interval timing encoding)
  • disk-and-memory.md - Disk/memory forensics (Volatility, disk mounting/carving, VM/OVA/VMDK, coredumps, deleted partitions, ZFS, VMware snapshots, ransomware analysis, GPT GUID encoding, VMDK sparse parsing)
  • steganography.md - Steganography (binary border stego, PDF multi-layer stego, FFT frequency domain, DTMF audio, SSTV+LSB, SVG keyframes, PNG reorder, file overlays, JPEG unused DQT table LSB, custom frequency dual-tone keypad, multi-track audio differential subtraction)
  • linux-forensics.md - Linux/app forensics (log analysis, Docker image forensics, attack chains, browser credentials, Firefox history, TFTP, TLS weak RSA, USB audio, Git directory recovery)
  • signals-and-hardware.md - Hardware signal decoding with decode code (VGA frame parsing, HDMI TMDS symbol decode, DisplayPort 8b/10b + LFSR descrambler), Voyager Golden Record audio, Saleae Logic 2 UART decode, Flipper Zero .sub files, side-channel power analysis (DPA)

Quick Start Commands

# File analysis
file suspicious_file
exiftool suspicious_file     # Metadata
binwalk suspicious_file      # Embedded files
strings -n 8 suspicious_file
hexdump -C suspicious_file | head  # Check magic bytes

# Disk forensics
sudo mount -o loop,ro image.dd /mnt/evidence
fls -r image.dd              # List files
photorec image.dd            # Carve deleted files

# Memory forensics (Volatility 3)
vol3 -f memory.dmp windows.info
vol3 -f memory.dmp windows.pslist
vol3 -f memory.dmp windows.filescan

See disk-and-memory.md for full Volatility plugin reference, VM forensics, and coredump analysis.

Log Analysis

grep -iE "(flag|part|piece|fragment)" server.log     # Flag fragments
grep "FLAGPART" server.log | sed 's/.*FLAGPART: //' | uniq | tr -d '\n'  # Reconstruct
sort logfile.log | uniq -c | sort -rn | head         # Find anomalies

See linux-forensics.md for Linux attack chain analysis and Docker image forensics.

Windows Event Logs (.evtx)

Key Event IDs:

  • 1001 - Bugcheck/reboot
  • 1102 - Audit log cleared
  • 4720 - User account created
  • 4781 - Account renamed

RDP Session IDs (TerminalServices-LocalSessionManager):

  • 21 - Session logon succeeded
  • 24 - Session disconnected
  • 1149 - RDP auth succeeded (RemoteConnectionManager, has source IP)
import Evtx.Evtx as evtx
with evtx.Evtx("Security.evtx") as log:
    for record in log.records():
        print(record.xml())

See windows.md for full event ID tables, registry analysis, SAM parsing, USN journal, and anti-forensics detection.

When Logs Are Cleared

If attacker cleared event logs, use these alternative sources:

  1. USN Journal ($J) - File operations timeline (MFT ref, timestamps, reasons)
  2. SAM registry - Account creation from key last_modified timestamps
  3. PowerShell history - ConsoleHost_history.txt (USN DATA_EXTEND = command timing)
  4. Defender MPLog - Separate log with threat detections and ASR events
  5. Prefetch - Program execution evidence
  6. User profile creation - First login time (profile dir in USN journal)

See windows.md for detailed parsing code and anti-forensics detection checklist.

Steganography

steghide extract -sf image.jpg
zsteg image.png              # PNG/BMP analysis
stegsolve                    # Visual analysis

  • Binary border stego: Black/white pixels in 1px image border encode bits clockwise

  • FFT frequency domain: Image data hidden in 2D FFT magnitude spectrum; try np.fft.fft2 visualization

  • DTMF audio: Phone tones encoding data; decode with multimon-ng -a DTMF

  • Multi-layer PDF: Check hidden comments, post-EOF data, XOR with keywords, ROT18 final layer

  • SSTV + LSB: SSTV signal may be red herring; check 2-bit LSB of audio samples with stegolsb

  • SVG keyframes: Animation keyTimes/values attributes encode binary/Morse via fill color alternation

  • PNG chunk reorder: Fix chunk order: IHDR → ancillary → IDAT (in order) → IEND

  • File overlays: Check after IEND for appended archives with overwritten magic bytes

  • Custom freq DTMF: Non-standard dual-tone frequencies; generate spectrogram first (ffmpeg -i audio -lavfi showspectrumpic), map custom grid to keypad digits, decode variable-length ASCII

  • JPEG DQT LSB: Unused quantization tables (ID 2, 3) carry LSB-encoded data; access via Image.open().quantization and extract bit 0 from each of 64 values

  • Multi-track audio subtraction: Two nearly-identical audio tracks in MKV/video; sox -m a0.wav "|sox a1.wav -p vol -1" diff.wav cancels shared content, flag appears in spectrogram of difference signal (5-12 kHz band)

  • Packet interval timing: Identical packets with two distinct interval values (e.g., 10ms/100ms) encode binary; filter by interface, compute inter-packet deltas, threshold to bits

See steganography.md for full code examples and decoding workflows.

PDF Analysis

exiftool document.pdf        # Metadata (often hides flags!)
pdftotext document.pdf -     # Extract text
strings document.pdf | grep -i flag
binwalk document.pdf         # Embedded files

Advanced PDF stego (Nullcon 2026 rdctd): Six techniques -- invisible text separators, URI annotations with escaped braces, Wiener deconvolution on blurred images, vector rectangle QR codes, compressed object streams (mutool clean -d), document metadata fields.

See steganography.md for full PDF steganography techniques and code.

Disk / VM / Memory Forensics

# Disk images
sudo mount -o loop,ro image.dd /mnt/evidence
fls -r image.dd && photorec image.dd

# VM images (OVA/VMDK)
tar -xvf machine.ova
7z x disk.vmdk -oextracted "Windows/System32/config/SAM" -r

# Memory (Volatility 3)
vol3 -f memory.dmp windows.pslist
vol3 -f memory.dmp windows.cmdline
vol3 -f memory.dmp windows.netscan
vol3 -f memory.dmp windows.dumpfiles --physaddr <addr>

# String carving
strings -a -n 6 memdump.bin | grep -E "FLAG|SSH_CLIENT|SESSION_KEY"

# Coredump
gdb -c core.dump  # info registers, x/100x $rsp, find "flag"

See disk-and-memory.md for full Volatility plugin reference, VM forensics, VMware snapshots, deleted partition recovery, ZFS forensics, and ransomware analysis.

Windows Password Hashes

# Extract with impacket, crack with hashcat -m 1000
python -c "from impacket.examples.secretsdump import *; SAMHashes('SAM', LocalOperations('SYSTEM').getBootKey()).dump()"

See windows.md for SAM details and network.md for NTLMv2 cracking from PCAP.

Bitcoin Tracing

  • Use mempool.space API: https://mempool.space/api/tx/<TXID>
  • Peel chain: ALWAYS follow LARGER output; round amounts indicate peels

Uncommon File Magic Bytes

MagicFormatExtensionNotes
OggSOgg container.oggAudio/video
RIFFRIFF container.wav,.aviCheck subformat
%PDFPDF.pdfCheck metadata & embedded objects
GCDEPrusaSlicer binary G-code.g, .bgcodeSee 3d-printing.md

Common Flag Locations

  • PDF metadata fields (Author, Title, Keywords)
  • Image EXIF data
  • Deleted files (Recycle Bin $R files)
  • Registry values
  • Browser history
  • Log file fragments
  • Memory strings

WMI Persistence Analysis

Pattern (Backchimney): Malware uses WMI event subscriptions for persistence (MITRE T1546.003).

python PyWMIPersistenceFinder.py OBJECTS.DATA
  • Look for FilterToConsumerBindings with CommandLineEventConsumer
  • Base64-encoded PowerShell in consumer commands
  • Event filters triggered on system events (logon, timer)

See windows.md for WMI repository analysis details.

Network Forensics Quick Reference

  • TFTP netascii: Binary transfers corrupted; fix with data.replace(b'\r\n', b'\n').replace(b'\r\x00', b'\r')
  • TLS weak RSA: Extract cert, factor modulus, generate private key with rsatool, add to Wireshark
  • USB audio: Extract isochronous data with tshark -e usb.iso.data, import as raw PCM in Audacity
  • NTLMv2 from PCAP: Extract server challenge + NTProofStr + blob from NTLMSSP_AUTH, brute-force

See network.md for SMB3 decryption, credential extraction, and linux-forensics.md for full TLS/TFTP/USB workflows.

Browser Forensics

  • Chrome/Edge: Decrypt Login Data SQLite with AES-GCM using DPAPI master key
  • Firefox: Query places.sqlite -- SELECT url FROM moz_places WHERE url LIKE '%flag%'

See linux-forensics.md for full browser credential decryption code.

Additional Technique Quick References

  • Docker image forensics: Config JSON preserves ALL RUN commands even after cleanup. tar xf app.tar then inspect config blob. See linux-forensics.md.
  • Linux attack chains: Check auth.log, .bash_history, recent binaries, PCAP. See linux-forensics.md.
  • PowerShell ransomware: Extract scripts from minidump, find AES key, decrypt SMTP attachment. See disk-and-memory.md.
  • Linux ransomware + memory dump: If Volatility is unreliable, recover AES key via raw-memory candidate scanning and magic-byte validation; re-extract zip cleanly to avoid missing files/false negatives. See disk-and-memory.md.
  • Deleted partitions: testdisk or kpartx -av. See disk-and-memory.md.
  • ZFS forensics: Reconstruct labels, Fletcher4 checksums, PBKDF2 cracking. See disk-and-memory.md.
  • Hardware signals: VGA/HDMI TMDS/DisplayPort, Voyager audio, Saleae UART decode, Flipper Zero. See signals-and-hardware.md.
  • USB HID mouse drawing: Render relative HID movements per draw mode as bitmap; separate modes, skip pen lifts, scale 5-8x. See network.md.
  • Side-channel power analysis: Multi-dimensional power traces (positions × guesses × traces × samples). Average across traces, find sample with max variance, select guess with max power at leak point. See signals-and-hardware.md.
  • Packet interval timing: Binary data encoded as inter-packet delays in PCAP. Two interval values = two bit values. See network.md.
  • G-code visualization: Side projections (XZ/YZ) reveal text. See 3d-printing.md.
  • Git directory recovery: gitdumper.sh for exposed .git dirs. See linux-forensics.md.

HTTP Exfiltration in PCAP

Quick path: tshark --export-objects http,/tmp/objects extracts uploaded files instantly. Check for multipart POST uploads, unusual User-Agent strings, and exfiltrated files (images with flag text). See network.md.

Common Encodings

echo "base64string" | base64 -d
echo "hexstring" | xxd -r -p
# ROT13: tr 'A-Za-z' 'N-ZA-Mn-za-m'

ROT18: ROT13 on letters + ROT5 on digits. Common final layer in multi-stage forensics. See linux-forensics.md for implementation.

Source

git clone https://github.com/ljagiello/ctf-skills/blob/main/ctf-forensics/SKILL.mdView on GitHub

Overview

This skill provides digital forensics and signal analysis tailored to CTF challenges. It covers disk images, memory dumps, event logs, network captures, steganography, PDF analysis, Windows registry, Volatility-based memory forensics, PCAPs, Docker images, coredumps, side-channel traces, DTMF spectrograms, and packet timing analysis, including recovering deleted files and credentials.

How This Skill Works

The workflow combines command-line analysis tools and memory/disk forensics to extract artifacts from a variety of data sources. It assumes a filesystem-based agent with Bash and Python 3, enabling installation of tools like exiftool, binwalk, strings, photorec, Volatility 3, and PCAP/log parsers. Results are organized in a reproducible folder structure and documented for review and reporting.

When to Use It

  • You have a disk image or memory dump from a CTF challenge and need to surface artifacts.
  • You must inspect network captures (PCAPs) for exfiltration, timing channels, or steganography.
  • You are analyzing Windows artifacts (registry, EVTX logs) and performing memory forensics with Volatility.
  • You are exploring steganography, PDFs, DTMF audio spectrograms, or side-channel traces for hidden data.
  • You need to recover deleted files or credentials from disks, core dumps, or related artifacts.

Quick Start

  1. Step 1: Run initial file and metadata checks: file suspicious_file; exiftool suspicious_file; binwalk suspicious_file; strings -n 8 suspicious_file; hexdump -C suspicious_file | head.
  2. Step 2: For disk images, mount read-only and carve deleted files (photorec); for memory dumps, run Volatility 3 (vol3 -f memory.dmp windows.info, windows.pslist, windows.filescan).
  3. Step 3: Analyze network data and logs (PCAPs, EVTX, registry), then compile findings into a reproducible report with references to commands and outputs.

Best Practices

  • Work on a read-only copy of the artifact and verify hashes to preserve integrity.
  • Preserve chain of custody and document every command, tool version, and environment.
  • Use artifact-specific tools in a layered approach (metadata/file traits, carve/delete artifacts, then artifact-specific analysis).
  • Maintain a clean folder structure: raw/, processed/, artifacts/, reports/ and include reproducible commands.
  • Cross-validate findings across artifact types (logs, memory, disk, PCAP, registry) to corroborate conclusions.

Example Use Cases

  • Extract a hidden credential from a Windows EVTX log and registry artifacts using Volatility and Windows artifact analysis.
  • Carve deleted files from a disk image with photorec and verify results with hash comparisons.
  • Decode a DTMF audio broadcast from a capture to reveal a passphrase or exfiltration channel.
  • Trace cryptocurrency-related activity by combining transaction metadata with related logs and artifact clues.
  • Identify multi-layer PDF steganography and extract the embedded payload for further analysis.

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers