forensics ctf guide

how to approach digital forensics challenges.

file identification · steganography · PCAP analysis · memory forensics · file carving

first steps for any forensics challenge

  1. 1.run file on the given file — the extension often lies. a .jpg might be a PNG, a ZIP, or something else. file reads the actual magic bytes.
  2. 2.run strings on it and grep for CTF flag patterns (flag{, CTF{, picoCTF{). flags are sometimes just sitting in plaintext.
  3. 3.run xxd or hexdump on the first 32 bytes to see the file signature (magic bytes) and look for anything unusual.
  4. 4.run exiftool to extract all metadata — creation date, GPS, author, comment fields, and embedded thumbnails can all contain data.
  5. 5.run binwalk to detect embedded files or compression. if it finds something, binwalk -e extracts it.

match the file type to the approach

  • image file (.png, .jpg, .bmp)check LSB steganography with zsteg (PNG) or stegsolve. try steghide with an empty password. look at color plane differences in stegsolve. check for appended data after the image end marker.
  • PCAP / network captureopen in Wireshark. filter by http, ftp, dns, smtp. follow TCP streams. export HTTP objects to recover transferred files. look for credentials in cleartext protocols.
  • memory dump (.dmp, .vmem)use Volatility. run imageinfo to identify the OS profile. list processes (pslist/pstree), check network connections (netscan), find injected code (malfind), dump files from memory (filescan + dumpfiles).
  • disk image (.dd, .img, .E01)mount with autopsy or sleuthkit. recover deleted files (tsk_recover). check filesystem metadata, unallocated space, and slack space.
  • archive (.zip, .tar, .7z)check if password-protected. try empty password, "password", or look for clues in challenge description. use john with zip2john to crack. binwalk can find files embedded inside.
  • audio file (.wav, .mp3)open in Audacity and look at the spectrogram view — data is often encoded visually. check for morse code patterns. try sonic-visualiser for hidden signals.

useful tools

  • Wireshark — PCAP analysis. follow streams, filter by protocol, export objects from HTTP/FTP/SMB.
  • Volatility — memory forensics framework. profiles for Windows and Linux. plugins for process listing, network analysis, file recovery, malware detection.
  • binwalk — scans files for embedded signatures and compressed data. -e flag extracts everything it finds.
  • exiftool — extracts metadata from almost any file format. GPS, camera info, author, comments, thumbnails.
  • zsteg — LSB steganography detection for PNG and BMP files. tries many bit-plane combinations automatically.
  • steghide — embeds and extracts data from JPEG/BMP/WAV files. try steghide extract -sf file.jpg with empty passphrase first.
  • CyberChef — decode base64, hex, URL encoding, and hundreds of other formats. works in-browser with no install.
forensics hint referenceget forensics hints →