🇺🇸English

CTF Forensics & Blockchain

Quick reference for forensics CTF challenges. Each technique has a one-liner here; see supporting files for full details.

Additional Resources

• 3d-printing.md - 3D printing forensics (PrusaSlicer binary G-code, QOIF, heatshrink)
• windows.md - Windows forensics (registry, SAM, event logs, recycle bin, NTFS alternate data streams, USN journal, PowerShell history, Defender MPLog, WMI persistence, Amcache)
• network.md - Network forensics basics (tcpdump, TLS/SSL keylog decryption, TLS master key extraction from coredump, Wireshark, PCAP, port scanning, SMB3 decryption, 5G/NR protocols, WordPress recon, credentials, USB HID steno, BCD encoding, HTTP file upload exfiltration, split archive reassembly via timestamp ordering)
• network-advanced.md - Advanced network forensics (packet interval timing encoding, USB HID mouse/pen drawing recovery, NTLMv2 hash cracking, TCP flag covert channel, DNS last-byte steganography, DNS trailing byte binary encoding, multi-layer PCAP with XOR + ZIP and mDNS key, Brotli decompression bomb seam analysis, SMB RID recycling via LSARPC, Timeroasting MS-SNTP hash extraction)
• disk-and-memory.md - Disk/memory forensics (Volatility, disk mounting/carving, VM/OVA/VMDK, coredumps, deleted partitions, ZFS, VMware snapshots, ransomware analysis, GPT GUID encoding, VMDK sparse parsing, APFS snapshot recovery, Windows KAPE triage, WordPerfect macro XOR extraction, minidump ISO 9660 recovery, RAID 5 XOR recovery, Android forensics, Docker container forensics, cloud storage forensics)
• disk-recovery.md - Disk recovery and extraction patterns (LUKS master key recovery, PRNG timestamp seed brute-force, VBA macro binary recovery, FemtoZip decompression, XFS filesystem reconstruction, tar duplicate entry extraction, nested matryoshka filesystem extraction, anti-carving via null byte interleaving, BTRFS subvolume/snapshot recovery, FAT16 free space data recovery, ext2 orphaned inode recovery via fsck)
• steganography.md - General steganography (binary border stego, PDF multi-layer stego, SVG keyframes, PNG reorder, file overlays, GIF frame diff Morse code, GZSteg + spammimic, spreadsheet frequency recovery, Kitty terminal graphics protocol decoding, ANSI escape sequence steganography, autostereogram solving, two-layer byte+line interleaving, multi-stream video container stego)
• stego-image.md - Image-specific steganography (JPEG unused DQT table LSB, BMP bitplane QR extraction, image puzzle reassembly, F5 JPEG DCT ratio detection, PNG unused palette entry stego, QR code tile reconstruction, seed-based pixel permutation + multi-bitplane QR, JPEG thumbnail pixel-to-text mapping, conditional LSB with pixel filtering, JPEG slack space, nearest-neighbor interpolation stego, RGB parity steganography)
• stego-advanced.md - Advanced steganography (FFT frequency domain, DTMF audio, SSTV+LSB, custom frequency dual-tone keypad, multi-track audio differential subtraction, cross-channel multi-bit LSB, audio FFT musical notes, audio metadata octal encoding, nested tar whitespace encoding, audio waveform binary encoding, audio spectrogram hidden QR, video frame accumulation, reversed audio, JPEG XL TOC permutation steganography)
• linux-forensics.md - Linux/app forensics (log analysis, Docker image forensics, attack chains, browser credentials, Firefox history, TFTP, TLS weak RSA, USB audio, Git directory recovery, KeePass v4 cracking, Git reflog/fsck squash recovery, browser artifact analysis (Chrome/Chromium/Firefox history, cookies, downloads, local storage, session restore), corrupted git blob repair via byte brute-force, VBA macro Excel cell data to ELF binary extraction)
• signals-and-hardware.md - Hardware signal decoding with decode code (VGA frame parsing, HDMI TMDS symbol decode, DisplayPort 8b/10b + LFSR descrambler), Voyager Golden Record audio, Saleae Logic 2 UART decode, Flipper Zero .sub files, side-channel power analysis (DPA), keyboard acoustic side-channel, CD audio disc image steganography (CIRC de-interleaving + spiral rendering), Linux input_event keylogger dump parsing

---

Quick Start Commands

# File analysis
file suspicious_file
exiftool suspicious_file     # Metadata
binwalk suspicious_file      # Embedded files
strings -n 8 suspicious_file
hexdump -C suspicious_file | head  # Check magic bytes

# Disk forensics
sudo mount -o loop,ro image.dd /mnt/evidence
fls -r image.dd              # List files
photorec image.dd            # Carve deleted files

# Memory forensics (Volatility 3)
vol3 -f memory.dmp windows.info
vol3 -f memory.dmp windows.pslist
vol3 -f memory.dmp windows.filescan

See disk-and-memory.md for full Volatility plugin reference, VM forensics, and coredump analysis.

Log Analysis

grep -iE "(flag|part|piece|fragment)" server.log     # Flag fragments
grep "FLAGPART" server.log | sed 's/.*FLAGPART: //' | uniq | tr -d '\n'  # Reconstruct
sort logfile.log | uniq -c | sort -rn | head         # Find anomalies

See linux-forensics.md for Linux attack chain analysis and Docker image forensics.

Windows Event Logs (.evtx)

Key Event IDs:

• 1001 - Bugcheck/reboot
• 1102 - Audit log cleared
• 4720 - User account created
• 4781 - Account renamed

RDP Session IDs (TerminalServices-LocalSessionManager):

• 21 - Session logon succeeded

• 24 - Session disconnected

• 1149 - RDP auth succeeded (RemoteConnectionManager, has source IP)

  import Evtx.Evtx as evtx with evtx.Evtx("Security.evtx") as log: for record in log.records(): print(record.xml())

See windows.md for full event ID tables, registry analysis, SAM parsing, USN journal, and anti-forensics detection.

• NTFS Alternate Data Streams (ADS): Hidden data attached to files via named NTFS streams. Invisible to dir/Explorer. Detect with fls -r image.dd | grep ":", extract with icat. See windows.md.

When Logs Are Cleared

If attacker cleared event logs, use these alternative sources:

1. USN Journal ($J) - File operations timeline (MFT ref, timestamps, reasons)
2. SAM registry - Account creation from key last_modified timestamps
3. PowerShell history - ConsoleHost_history.txt (USN DATA_EXTEND = command timing)
4. Defender MPLog - Separate log with threat detections and ASR events
5. Prefetch - Program execution evidence
6. User profile creation - First login time (profile dir in USN journal)

See windows.md for detailed parsing code and anti-forensics detection checklist.

Steganography

steghide extract -sf image.jpg
zsteg image.png              # PNG/BMP analysis
stegsolve                    # Visual analysis

• Binary border stego: Black/white pixels in 1px image border encode bits clockwise

• FFT frequency domain: Image data hidden in 2D FFT magnitude spectrum; try np.fft.fft2 visualization

• DTMF audio: Phone tones encoding data; decode with multimon-ng -a DTMF

• Multi-layer PDF: Check hidden comments, post-EOF data, XOR with keywords, ROT18 final layer

• SSTV + LSB: SSTV signal may be red herring; check 2-bit LSB of audio samples with stegolsb

• SVG keyframes: Animation keyTimes/values attributes encode binary/Morse via fill color alternation

• PNG chunk reorder: Fix chunk order: IHDR → ancillary → IDAT (in order) → IEND

• Check after IEND for appended archives with overwritten magic bytes

See steganography.md and stego-advanced.md for full code examples and decoding workflows.

PDF Analysis

exiftool document.pdf        # Metadata (often hides flags!)
pdftotext document.pdf -     # Extract text
strings document.pdf | grep -i flag
binwalk document.pdf         # Embedded files

Advanced PDF stego (Nullcon 2026 rdctd): Six techniques -- invisible text separators, URI annotations with escaped braces, Wiener deconvolution on blurred images, vector rectangle QR codes, compressed object streams (mutool clean -d), document metadata fields.

See steganography.md for full PDF steganography techniques and code.

Disk / VM / Memory Forensics

# Disk images
sudo mount -o loop,ro image.dd /mnt/evidence
fls -r image.dd && photorec image.dd

# VM images (OVA/VMDK)
tar -xvf machine.ova
7z x disk.vmdk -oextracted "Windows/System32/config/SAM" -r

# Memory (Volatility 3)
vol3 -f memory.dmp windows.pslist
vol3 -f memory.dmp windows.cmdline
vol3 -f memory.dmp windows.netscan
vol3 -f memory.dmp windows.dumpfiles --physaddr <addr>

# String carving
strings -a -n 6 memdump.bin | grep -E "FLAG|SSH_CLIENT|SESSION_KEY"

# Coredump
gdb -c core.dump  # info registers, x/100x $rsp, find "flag"

See disk-and-memory.md for full Volatility plugin reference, VM forensics, VMware snapshots, deleted partition recovery, ZFS forensics, and ransomware analysis.

Windows Password Hashes

# Extract with impacket, crack with hashcat -m 1000
python -c "from impacket.examples.secretsdump import *; SAMHashes('SAM', LocalOperations('SYSTEM').getBootKey()).dump()"

See windows.md for SAM details and network-advanced.md for NTLMv2 cracking from PCAP.

Bitcoin Tracing

• Use mempool.space API: https://mempool.space/api/tx/<TXID>
• Peel chain: ALWAYS follow LARGER output; round amounts indicate peels

Uncommon File Magic Bytes

Common Flag Locations

• PDF metadata fields (Author, Title, Keywords)
• Image EXIF data
• Deleted files (Recycle Bin $R files)
• Registry values
• Browser history
• Log file fragments
• Memory strings

WMI Persistence Analysis

Pattern (Backchimney): Malware uses WMI event subscriptions for persistence (MITRE T1546.003).

python PyWMIPersistenceFinder.py OBJECTS.DATA

• Look for FilterToConsumerBindings with CommandLineEventConsumer
• Base64-encoded PowerShell in consumer commands
• Event filters triggered on system events (logon, timer)

See windows.md for WMI repository analysis details.

Network Forensics Quick Reference

• TFTP netascii: Binary transfers corrupted; fix with data.replace(b'\r\n', b'\n').replace(b'\r\x00', b'\r')
• TLS keylog decryption: Import SSLKEYLOGFILE or RSA private key into Wireshark (Edit → Preferences → Protocols → TLS)
• TLS weak RSA: Extract cert, factor modulus, generate private key with rsatool, add to Wireshark
• USB audio: Extract isochronous data with tshark -e usb.iso.data, import as raw PCM in Audacity
• NTLMv2 from PCAP: Extract server challenge + NTProofStr + blob from NTLMSSP_AUTH, brute-force

See network.md for SMB3 decryption, credential extraction, and linux-forensics.md for full TLS/TFTP/USB workflows.

Browser Forensics

• Chrome/Edge: Decrypt Login Data SQLite with AES-GCM using DPAPI master key
• Firefox: Query places.sqlite -- SELECT url FROM moz_places WHERE url LIKE '%flag%'

See linux-forensics.md for full browser credential decryption code.

Additional Technique Quick References

• Docker image forensics: Config JSON preserves ALL RUN commands even after cleanup. tar xf app.tar then inspect config blob. See linux-forensics.md.
• Linux attack chains: Check auth.log, .bash_history, recent binaries, PCAP. See linux-forensics.md.
• RAID 5 XOR recovery: Two disks of a 3-disk RAID 5 → XOR byte-by-byte to recover the third: bytes(a ^ b for a, b in zip(disk1, disk3)). See disk-and-memory.md.
• PowerShell ransomware: Extract scripts from minidump, find AES key, decrypt SMTP attachment. See disk-and-memory.md.
• Linux ransomware + memory dump: If Volatility is unreliable, recover AES key via raw-memory candidate scanning and magic-byte validation; re-extract zip cleanly to avoid missing files/false negatives. See .

SMB RID Recycling via LSARPC (Midnight 2026)

Enumerate AD accounts from PCAP by analyzing LSARPC LsaLookupSids calls with sequential RIDs after Guest auth. Filter: dcerpc.cn_bind_to_str contains lsarpc.

See network-advanced.md for full RPC call sequence and Wireshark filters.

Timeroasting / MS-SNTP Hash Extraction (Midnight 2026)

Extract crackable HMAC-MD5 hashes from MS-SNTP responses by sending NTP requests with machine account RIDs. Crack with hashcat -m 31300.

# Extract NTP payloads, convert to hashcat format, crack
tshark -r capture.pcapng -Y "ntp && ip.src == <DC_IP>" -T fields -e udp.payload
hashcat -m 31300 -a 0 -O hashes.txt rockyou.txt --username

See network-advanced.md for payload parsing script and full attack chain.

HTTP Exfiltration in PCAP

Quick path: tshark --export-objects http,/tmp/objects extracts uploaded files instantly. Check for multipart POST uploads, unusual User-Agent strings, and exfiltrated files (images with flag text). See network.md.

Common Encodings

echo "base64string" | base64 -d
echo "hexstring" | xxd -r -p
# ROT13: tr 'A-Za-z' 'N-ZA-Mn-za-m'

ROT18: ROT13 on letters + ROT5 on digits. Common final layer in multi-stage forensics. See linux-forensics.md for implementation.

Weekly Installs

697

Repository

ljagiello/ctf-skills

GitHub Stars

694

First Seen

Feb 1, 2026

Security Audits

Gen Agent Trust HubPassSocketWarnSnykFail

Installed on

codex682

opencode681

github-copilot670

gemini-cli668

amp667

kimi-cli666