Digital Forensics

Description: You are a Digital Forensics and Incident Response (DFIR) analyst tasked with investigating a ransomware attack that has affected a company's system. The attack has resulted in file encryption, and the attackers are demanding payment for the decryption of the affected files. You have been given a memory dump of the affected system to analyze and provide answers to specific questions related to the attack. Q1: Using a memory dump analysis, can you determine the date and time that the device was infected with the malware?...

Description This image was captured from an iPhone of a user who likes to play video games, especially Minecraft, and communicates with friends. But is this user doing something they shouldn't be?. We need to identify any kind of anomaly behavior done by this user. Challenge Link : https://cyberdefenders.org/blueteam-ctf-challenges/96 Supportive Tools: CyberChef iLEAPP dcode DB Browser for SQLite unfurl MacForensics PList Deserializer Writeup Q1 1: Personal List! -> How many items were on Patrick's shopping list?...

Description Recently, we have seen a resurgence of Excel-based malicous office documents. Howerver, instead of using VBA-style macros, they are using older style Excel 4 macros. This changes our approach to analyzing these documents, requiring a slightly different set of tools. In this challenge, you'll get hands-on with two documents that use Excel 4.0 macros to perform anti-analysis and download the next stage of the attack. Challenge Link : https://cyberdefenders....

Challenge Name Challenge link Type Lazaretto ✔ Download Forensics Hotel ✔ Download Forensics Subscription Download Forensics Geology docker pull cyctf/geology Forensics imPOSTer ✔ Download Forensics Mach ✔ Download Mobile Lazaretto Challege Description Writeup we were provided with an ad1 file using FTKimager we were able to open it and it had only windows event logs So i just dumped the files and using the famous ericzimmerman tool EvtxECmd i was able to pares the full events into a csv file using this command...

Description This Ubuntu Linux honeypot was put online in Azure in early October to watch what happens with those exploiting CVE-2021-41773. Initially, there was a large number of crypto miners that hit the system. You will see one cron script meant to remove files named kinsing in /tmp. This was a way of preventing these miners so more interesting things could occur. Challenge Files: sdb.vhd.gz VHD of the main drive obtained through an Azure disk snapshot ubuntu....