🔍

Forensics

Forensics challenges involve recovering evidence from disk images, memory dumps, packet captures, and log files. Skills include file carving, steganography, timeline analysis, and artifact interpretation.

What is it?

Digital forensics is the process of acquiring, preserving, and analysing digital evidence. Investigators examine hard drives, memory snapshots, network captures, and logs to reconstruct what happened, when, and by whom.

It is crucial for incident response, legal proceedings, and malware analysis. The discipline blends operating-system internals knowledge with investigative methodology and a strict chain-of-custody mindset.

How it works in a CTF

In a CTF, you receive a file (PCAP, disk image, memory dump, photograph, archive) and must uncover a hidden flag or answer questions about an attack. The flag may be deleted, buried in metadata, encoded in an image, or hidden inside encrypted network traffic.

Common workflow: identify the artefact type → use the appropriate tool (Wireshark, Volatility, Autopsy, ExifTool) → search for patterns or anomalies → extract and decode the flag.

Example challenge types

Recover deleted file from disk imageExtract flag from PCAP (follow TCP stream)Steganography (LSB in PNG)Memory dump — find running process secretsMetadata extraction (GPS in photo)NTFS alternate data streamsBrowser history / SQLite artefactsFile carving (no filesystem)Log analysis (find attacker IP)Email header analysisEncoded payload in DNS queriesCorrupted ZIP / PNG header repair

Sample Challenge

Late Night Packet

Forensics Easy 100 pts

The SOC team captured network traffic during a suspected data exfiltration. You receive a .pcap file. Your goal is to find what was stolen and recover the flag hidden inside the transferred data.

capture.pcap

How to solve it

Open capture.pcap in Wireshark. Go to Statistics → Protocol Hierarchy — notice an unusually large amount of HTTP traffic.
Filter to http and look for POST requests to an external IP. Right-click → Follow → HTTP Stream.
The POST body is Base64-encoded. Copy the encoded blob.
Decode it: echo '<blob>' | base64 -d — the output is a PNG image.
Open the image to reveal the flag printed on it.

FLAG{pcap_foll0w_the_str34m}

Official Resources & Standards

Autopsy / The Sleuth Kit

Free, open-source digital forensics platform for analysing disk images and file systems.

FreeDisk ForensicsOpen Source

Volatility Foundation

The leading open-source memory forensics framework — extract processes, network connections, and artefacts from RAM.

FreeMemory ForensicsOpen Source

Wireshark

Industry-standard network protocol analyser for dissecting PCAP files.

FreeNetwork ForensicsOpen Source

NetworkMiner

Passive network forensics tool that reassembles files transferred over a captured network session.

Free TierNetwork Forensics

Free Training & Practice

CyberDefenders

Blue-team focused platform with real-world DFIR labs — memory, disk, PCAP, and log analysis.

FreeLabsBlue Team

Blue Team Labs Online

Free forensics and incident response challenges covering memory, log, and network analysis.

FreeLabs

13Cubed YouTube Channel

High-quality free tutorials on DFIR, Volatility, filesystem artefacts, and incident response.

FreeVideos

Digital Forensics Lab (GitHub)

Open-source university course with 30 labs covering disk, memory, and mobile forensics.

FreeLabsAcademic

Magnet Forensics CTF

Annual free forensics CTF from the AXIOM vendor, focuses on real-world artefact analysis.

FreeCTF

picoCTF — Forensics

Beginner-friendly forensics problems covering steganography, file analysis, and PCAP puzzles.

FreeBeginner

Essential Tools

Volatility 3

Python 3 rewrite of the memory forensics framework — handles Windows, Linux, and macOS images.

FreeOpen Source

Wireshark

Dissect PCAP files, follow TCP streams, and carve HTTP objects.

FreeOpen Source

Binwalk

Firmware/file entropy analysis and embedded file extraction — great for steganography too.

FreeOpen Source

ExifTool

Read, write, and edit metadata in images, audio, video, and document files.

FreeOpen Source

Getting Started Tips

💡 Tip: Always run `file` and `exiftool` on every artefact first — metadata often contains the flag or a direct hint.

💡 Tip: For PCAP challenges, use Wireshark's Statistics > Protocol Hierarchy to understand traffic composition, then Follow TCP/HTTP Streams for content.

💡 Tip: Memory dumps: start with `windows.pslist`, `windows.netscan`, and `windows.cmdline` to map the incident before digging deeper.

💡 Tip: Steganography tools to try in order: `strings`, `exiftool`, `steghide`, `zsteg` (for PNGs), and `binwalk` for embedded files.