Category: Forensics

tl;dr

Analysis of different types of malware in a linear storyline
Windows timelining
Analysis of Rootkit, Ransomware, C2 Framework, Process Hollowing, Persistence, and more

bi0sCTF Incident Response Malware Analysis Threat Hunting bi0sctf2024 Ransomware Ransomware Analysis Ransomware Investigation Ransomware Recovery Reverse Engineering Windows Forensics Rootkit Analysis C2 Analysis Windows timelining

Batman Investigation III - Th3 Sw0rd 0f Azr43l - bi0sCTF 2024

Azr43lKn1ght

2024-03-19

Forensics

tl;dr

Challenge 2 of Batman Investigation series
Ransomware Investigation
Rust based Ransomware Analysis with process dump analysis to recover the randomly generated decryption vector and windows malware analysis
Recovering from a ransomware attack

bi0sCTF Incident Response Malware Analysis WinDBG Dump Debugging Threat Hunting bi0sctf2024 Ransomware Ransomware Analysis Ransomware Investigation File Forensics Ransomware Recovery Reverse Engineering Windows Forensics Browser Forensics Process Memory Analysis

ReAL-File-System - bi0sCTF 2024

5h4rrK

2024-03-12

Forensics

Full detailed writeup for ReAL-File-System which is centered around ReFS Log Analysis.

tl;dr

Disk Forensics
Resilient File System
Log Analysis

bi0sCTF2024 Resilient File System File System Analysis Log Analysis File System Forensics ReFS

verboten - bi0sCTF 2024

sp3p3x

jl_24

2024-03-08

Forensics

tl;dr

Registry Hives analysis
Analyse Chrome browser artifacts
Analyse Slack artifacts
Analyse AnyDesk artifacts
Analyse artifacts for evidence of execution
Analyse clipboard artifacts

Incident Response USB Slack Windows Activity timeline bi0sCTFs AnyDesk prefetch Chrome

Batman Investigation I - Like Father Like Son - bi0sCTF 2024

Azr43lKn1ght

2024-03-05

Forensics

Full solution of Batman Investigation II - Gotham Underground Corruption from bi0sctf 2024

tl;dr

Challenge 1 of Batman Investigation series
Memory Forensics - WinDBG Dump Debugging - Malware Analysis - Incident Response - Threat Hunting

bi0sCTF Memory Forensics Incident Response Malware Analysis WinDBG Dump Debugging Threat Hunting

Batman Investigation II - Gotham Underground Corruption - bi0sCTF 2024

Azr43lKn1ght

2024-02-27

Forensics

Full solution of Batman Investigation II - Gotham Underground Corruption from bi0sctf 2024

tl;dr

Challenge 2 of Batman Investigation series
Memory Forensics - WinDBG Dump Debugging - Malware Analysis - Blockchain Forensics - Password Retrieval - MAC Artefact Analysis

Memory Forensics Incident Response Malware Analysis WinDBG Dump Debugging bi0sctf2024 Blockchain Forensics Password Retrieval MAC Artefact Analysis

The Big Score - InCTF Internationals 2021

d3liri0us

2021-08-20

Forensics / Memory

tl;dr

Create a Linux profile for Ubuntu 18.04 (5.4.0-42-generic) in Volatility
Use linux_bash plugin to get link to the repo and linux_find_file plugin to recover the filepath
Decode the keyboard stream data to retrieve the flag

InCTFi Memory Linux

Heist Ends - InCTF Internationals 2021

g4rud4

2021-08-16

Forensics / Android

tl;dr

Extract creation timestamp of a note from Google Keep Notes.
Finding location, date & time from Slack Messages.
Extract no. of tasks completed and created from Google Tasks.
Finding secret code from Google Docs cache.
Extract first opened timestamp of a Game.

InCTFi Android ALEAPP

Heist Continues - InCTF Internationals 2021

g4rud4

2021-08-16

Forensics / Windows

tl;dr

Extract User ID and Workspace ID of the Slack workspace participating.
Extract the first & last 3 characters of text from the Anydesk Remote connected PC’s thumbnail wallpaper.
Extract the type of filesystem of the USBs connected to the system.
Extracting active duration of Voice Modulator application used by parsing Windows Activity timeline.

InCTFi USB Slack Windows Activity timeline Anydesk

Heist - InCTF Internationals 2021

g4rud4

2021-08-16

Forensics / Windows

tl;dr

Finding default browser and the top visited website.
Extract timestamp, ID, Hostname of the TeamViewer FileTransfer session.

InCTFi Browser Forensics TeamViewer