CTF Forensics & Blockchain Quick reference for forensics CTF challenges. Each technique has a one-liner here; see supporting files for full details. Additional Resources 3d-printing.md - 3D printing forensics (PrusaSlicer binary G-code, QOIF, heatshrink) windows.md - Windows forensics (registry, SAM, event logs, recycle bin, USN journal, PowerShell history, Defender MPLog, WMI persistence, Amcache) network.md - Network forensics (PCAP, SMB3, WordPress, credentials, NTLMv2 cracking, USB HID steno, USB HID mouse/pen drawing recovery, BCD encoding, HTTP file upload exfiltration, packet interval timing encoding) disk-and-memory.md - Disk/memory forensics (Volatility, disk mounting/carving, VM/OVA/VMDK, coredumps, deleted partitions, ZFS, VMware snapshots, ransomware analysis, GPT GUID encoding, VMDK sparse parsing) steganography.md - Steganography (binary border stego, PDF multi-layer stego, FFT frequency domain, DTMF audio, SSTV+LSB, SVG keyframes, PNG reorder, file overlays, JPEG unused DQT table LSB, custom frequency dual-tone keypad, multi-track audio differential subtraction) linux-forensics.md - Linux/app forensics (log analysis, Docker image forensics, attack chains, browser credentials, Firefox history, TFTP, TLS weak RSA, USB audio, Git directory recovery) signals-and-hardware.md - Hardware signal decoding with decode code (VGA frame parsing, HDMI TMDS symbol decode, DisplayPort 8b/10b + LFSR descrambler), Voyager Golden Record audio, Saleae Logic 2 UART decode, Flipper Zero .sub files, side-channel power analysis (DPA) Quick Start Commands

File analysis

file suspicious_file exiftool suspicious_file

Metadata

binwalk suspicious_file

Embedded files

strings -n 8 suspicious_file hexdump -C suspicious_file | head

Check magic bytes

Disk forensics

sudo mount -o loop,ro image.dd /mnt/evidence fls -r image.dd

List files

photorec image.dd

Carve deleted files

Memory forensics (Volatility 3)

vol3 -f memory.dmp windows.info vol3 -f memory.dmp windows.pslist vol3 -f memory.dmp windows.filescan See disk-and-memory.md for full Volatility plugin reference, VM forensics, and coredump analysis. Log Analysis grep -iE "(flag|part|piece|fragment)" server.log

Flag fragments

grep "FLAGPART" server.log | sed 's/.*FLAGPART: //' | uniq | tr -d '\n'

Reconstruct

sort logfile.log | uniq -c | sort -rn | head

Find anomalies

See linux-forensics.md for Linux attack chain analysis and Docker image forensics. Windows Event Logs (.evtx) Key Event IDs: 1001 - Bugcheck/reboot 1102 - Audit log cleared 4720 - User account created 4781 - Account renamed RDP Session IDs (TerminalServices-LocalSessionManager): 21 - Session logon succeeded 24 - Session disconnected 1149 - RDP auth succeeded (RemoteConnectionManager, has source IP) import Evtx . Evtx as evtx with evtx . Evtx ( "Security.evtx" ) as log : for record in log . records ( ) : print ( record . xml ( ) ) See windows.md for full event ID tables, registry analysis, SAM parsing, USN journal, and anti-forensics detection. When Logs Are Cleared If attacker cleared event logs, use these alternative sources: USN Journal ($J) - File operations timeline (MFT ref, timestamps, reasons) SAM registry - Account creation from key last_modified timestamps PowerShell history - ConsoleHost_history.txt (USN DATA_EXTEND = command timing) Defender MPLog - Separate log with threat detections and ASR events Prefetch - Program execution evidence User profile creation - First login time (profile dir in USN journal) See windows.md for detailed parsing code and anti-forensics detection checklist. Steganography steghide extract -sf image.jpg zsteg image.png

PNG/BMP analysis

stegsolve

Visual analysis

Binary border stego: Black/white pixels in 1px image border encode bits clockwise FFT frequency domain: Image data hidden in 2D FFT magnitude spectrum; try np.fft.fft2 visualization DTMF audio: Phone tones encoding data; decode with multimon-ng -a DTMF Multi-layer PDF: Check hidden comments, post-EOF data, XOR with keywords, ROT18 final layer SSTV + LSB: SSTV signal may be red herring; check 2-bit LSB of audio samples with stegolsb SVG keyframes: Animation keyTimes / values attributes encode binary/Morse via fill color alternation PNG chunk reorder: Fix chunk order: IHDR → ancillary → IDAT (in order) → IEND File overlays: Check after IEND for appended archives with overwritten magic bytes Custom freq DTMF: Non-standard dual-tone frequencies; generate spectrogram first ( ffmpeg -i audio -lavfi showspectrumpic ), map custom grid to keypad digits, decode variable-length ASCII JPEG DQT LSB: Unused quantization tables (ID 2, 3) carry LSB-encoded data; access via Image.open().quantization and extract bit 0 from each of 64 values Multi-track audio subtraction: Two nearly-identical audio tracks in MKV/video; sox -m a0.wav "|sox a1.wav -p vol -1" diff.wav cancels shared content, flag appears in spectrogram of difference signal (5-12 kHz band) Packet interval timing: Identical packets with two distinct interval values (e.g., 10ms/100ms) encode binary; filter by interface, compute inter-packet deltas, threshold to bits See steganography.md for full code examples and decoding workflows. PDF Analysis exiftool document.pdf

Metadata (often hides flags!)

pdftotext document.pdf -

Extract text

strings document.pdf | grep -i flag binwalk document.pdf

Embedded files

Advanced PDF stego (Nullcon 2026 rdctd): Six techniques -- invisible text separators, URI annotations with escaped braces, Wiener deconvolution on blurred images, vector rectangle QR codes, compressed object streams ( mutool clean -d ), document metadata fields. See steganography.md for full PDF steganography techniques and code. Disk / VM / Memory Forensics

Disk images

sudo mount -o loop,ro image.dd /mnt/evidence fls -r image.dd && photorec image.dd

VM images (OVA/VMDK)

tar -xvf machine.ova 7z x disk.vmdk -oextracted "Windows/System32/config/SAM" -r

Memory (Volatility 3)

vol3 -f memory.dmp windows.pslist vol3 -f memory.dmp windows.cmdline vol3 -f memory.dmp windows.netscan vol3 -f memory.dmp windows.dumpfiles --physaddr < addr

String carving

strings -a -n 6 memdump.bin | grep -E "FLAG|SSH_CLIENT|SESSION_KEY"

Coredump

gdb -c core.dump

info registers, x/100x $rsp, find "flag"

See disk-and-memory.md for full Volatility plugin reference, VM forensics, VMware snapshots, deleted partition recovery, ZFS forensics, and ransomware analysis. Windows Password Hashes

Extract with impacket, crack with hashcat -m 1000

python -c "from impacket.examples.secretsdump import *; SAMHashes('SAM', LocalOperations('SYSTEM').getBootKey()).dump()" See windows.md for SAM details and network.md for NTLMv2 cracking from PCAP. Bitcoin Tracing Use mempool.space API: https://mempool.space/api/tx/ Peel chain: ALWAYS follow LARGER output; round amounts indicate peels Uncommon File Magic Bytes Magic Format Extension Notes OggS Ogg container .ogg Audio/video RIFF RIFF container .wav , .avi Check subformat %PDF PDF .pdf Check metadata & embedded objects GCDE PrusaSlicer binary G-code .g , .bgcode See 3d-printing.md Common Flag Locations PDF metadata fields (Author, Title, Keywords) Image EXIF data Deleted files (Recycle Bin $R files) Registry values Browser history Log file fragments Memory strings WMI Persistence Analysis Pattern (Backchimney): Malware uses WMI event subscriptions for persistence (MITRE T1546.003). python PyWMIPersistenceFinder.py OBJECTS.DATA Look for FilterToConsumerBindings with CommandLineEventConsumer Base64-encoded PowerShell in consumer commands Event filters triggered on system events (logon, timer) See windows.md for WMI repository analysis details. Network Forensics Quick Reference TFTP netascii: Binary transfers corrupted; fix with data.replace(b'\r\n', b'\n').replace(b'\r\x00', b'\r') TLS weak RSA: Extract cert, factor modulus, generate private key with rsatool , add to Wireshark USB audio: Extract isochronous data with tshark -e usb.iso.data , import as raw PCM in Audacity NTLMv2 from PCAP: Extract server challenge + NTProofStr + blob from NTLMSSP_AUTH, brute-force See network.md for SMB3 decryption, credential extraction, and linux-forensics.md for full TLS/TFTP/USB workflows. Browser Forensics Chrome/Edge: Decrypt Login Data SQLite with AES-GCM using DPAPI master key Firefox: Query places.sqlite -- SELECT url FROM moz_places WHERE url LIKE '%flag%' See linux-forensics.md for full browser credential decryption code. Additional Technique Quick References Docker image forensics: Config JSON preserves ALL RUN commands even after cleanup. tar xf app.tar then inspect config blob. See linux-forensics.md . Linux attack chains: Check auth.log , .bash_history , recent binaries, PCAP. See linux-forensics.md . PowerShell ransomware: Extract scripts from minidump, find AES key, decrypt SMTP attachment. See disk-and-memory.md . Linux ransomware + memory dump: If Volatility is unreliable, recover AES key via raw-memory candidate scanning and magic-byte validation; re-extract zip cleanly to avoid missing files/false negatives. See disk-and-memory.md . Deleted partitions: testdisk or kpartx -av . See disk-and-memory.md . ZFS forensics: Reconstruct labels, Fletcher4 checksums, PBKDF2 cracking. See disk-and-memory.md . Hardware signals: VGA/HDMI TMDS/DisplayPort, Voyager audio, Saleae UART decode, Flipper Zero. See signals-and-hardware.md . USB HID mouse drawing: Render relative HID movements per draw mode as bitmap; separate modes, skip pen lifts, scale 5-8x. See network.md . Side-channel power analysis: Multi-dimensional power traces (positions × guesses × traces × samples). Average across traces, find sample with max variance, select guess with max power at leak point. See signals-and-hardware.md . Packet interval timing: Binary data encoded as inter-packet delays in PCAP. Two interval values = two bit values. See network.md . G-code visualization: Side projections (XZ/YZ) reveal text. See 3d-printing.md . Git directory recovery: gitdumper.sh for exposed .git dirs. See linux-forensics.md . HTTP Exfiltration in PCAP Quick path: tshark --export-objects http,/tmp/objects extracts uploaded files instantly. Check for multipart POST uploads, unusual User-Agent strings, and exfiltrated files (images with flag text). See network.md . Common Encodings echo "base64string" | base64 -d echo "hexstring" | xxd -r -p

ROT13: tr 'A-Za-z' 'N-ZA-Mn-za-m'

ROT18: ROT13 on letters + ROT5 on digits. Common final layer in multi-stage forensics. See linux-forensics.md for implementation.