ctf-forensicslisted

# CTF forensics methodology ## 1. Identify the input ```bash file <input> xxd <input> | head -20 ``` | Magic | Type | First tool | | --- | --- | --- | | `7F 45 4C 46` | ELF | use `ctf-rev` skill | | `4D 5A` | PE | use `ctf-rev` skill | | PK | ZIP/JAR/APK/Office | `unzip -l`, `binwalk` | | `D4 C3 B2 A1` / `0A 0D 0D 0A` | PCAP / pcapng | wireshark | | `4D 53 53 54 30 30 30` | Volatility memory raw | volatility | | `45 56 46` | EWF / E01 image | `ewfmount` | | Arbitrary blob, high entropy | Encrypted/compressed | binwalk / strings | ## 2. PCAP analysis ```bash # Quick triage capinfos <pcap> # summary tshark -r <pcap> -q -z io,phs # protocol hierarchy tshark -r <pcap> -q -z conv,tcp # TCP conversations tshark -r <pcap> -q -z http,tree # HTTP requests # Extract objects tshark -r <pcap> --export-objects http,./out foremost -i <pcap> -o ./carved # Wireshark for visual: File → Export Objects → HTTP/SMB/etc # Search payloads tshark -r <pcap> -Y 'http.request.method == "POST"' -T fields -e http.file_data ``` USB HID keystroke decode (common challenge): - Filter `usb.capdata` in tshark - Map HID scancodes → keys (script: `usbkeyboard.py`, `usbrip`) Bluetooth: `btsnoop` parser, `wireshark` natively decodes. TLS with key log: `tshark -r <pcap> -o tls.keylog_file:keys.log` to decrypt. ## 3. Memory forensics (Volatility) ```bash # Identify profile (vol2) or no profile needed (vol3) vol.py -f mem.raw i