Once again KoreLogic hosted the Crack Me If You Can password cracking contest during DEFCON 29.  I participated in the Street Division as a solo entry.  Password cracking is something that I have developed a passion for over the past 5-6 years after realizing that so many in the forensic world struggle with it.  I found a ton of great resources such as the thesis and dissertation by Dr. Matthew Weir (Using Probabilistic Techniques to Aid in Password Cracking Attacks) and prior contest write-ups by @Cyno-Prime, @John_Users, and @hashcat.  The YouTube videos posted from the P ..read more

This blog post will provide a look into dealing with valuable artifacts that are identified, but aren't supported by any of your commercial tools.  This provides a great opportunity to contribute to an open source project such as iLEAPP by @AlexisBrignoni.  Like so many of you, the first place I look when my extractions finish parsing is the installed applications.  Funny enough this workflow was covered by @HeatherMahalik and @mattforensic on their podcast, Carved from Unallocated.  I want to start off by getting a better idea of what applications are on the device.  ..read more

Here is the last Write-Up for the #MVS2020CTF.  During the live competition, I wasn't aware of any "free" tools to analyze iOS systems, so I fell back on Cellebrite PA and was able to find several flags quite easily.  After the live event, I found out about #iLEAPP by @AlexisBrignoni and re-processed the iOS data.  This allowed me to try out a new tool and gave me an opportunity to validate the flags found with PA and iLEAPP, since both tools were generating the same answers.  This post will focus on the flags found with iLEAPP to continue with the #OpenSource theme for the ..read more

Here we have the Windows questions and solutions that were part of the 2020 Magnet Virtual Summit CTF.  Again keeping with the theme of using #OpenSource or free software, I used Autopsy to process the forensic image, and also used UnFurl, IrfanView, StegHide, OpenStego, and CyberChef to help with other questions.  As you will see below I did not find all of the solutions, but I hope the information I provide is helpful to anyone who have never tried a CTF or is new to DFIR.  Begin Exam Try 2 When did the windows image acquisition start? Answer in YYYY-MM-DD HH:MM:SS So ..read more

This post will be short as it only covers the Memory Section of the Magnet Virtual Summit 2020 CTF and I didn't find all of the solutions.  Once again this was my first time analyzing memory, and was mainly completed from notes that I had taken during the presentation by @melton_tarah, and coupling that with prior experience cracking passwords.  Memory How's Your Memory? - Which memory profile best fits the system?  Win8SP0x64  Win7SP1x86  VistaSP1x64  Win7SP0x86  Win10x86  Win7SP1x64  WinXPSP1x64  Win10x64 Win7SP1x64 - The profile is foun ..read more

This post will cover a walk through of the solutions that I was able to find for the Egg Hunt section of the 2020 Magnet Forensics Virtual Summit CTF.  This was solved using GCHQ CyberChef (https://gchq.github.io/CyberChef/).   Egg Hunt NOTE: The FULL block of text below IS the puzzle, for each level, please copy the NEW block of text located below the now decoded portion. Puzzle starts here (Copy ALL text below): Zpv ibwf gpvoe uif CMVF fhh! Uif ofyu qjfdf pg uif qvaamf jt: Mci vojs tcibr hvs UFSSB suu (gsqfsh kcfr = Cbwcb)... hvs bslh dwsqs ct hvs dinnzs wg : KK91WUvvraIuNa91pa ..read more

In May 2020, I participated in the Magnet Virtual Summit CTF Competition, which consisted of an iOS Extraction, Android Extraction, Google Takeout, Windows E01 Image, and a RAM Capture.  I would consider this my first real attempt at competitively participating in a DFIR Style CTF and I truly enjoyed each and every aspect.  Before I get into the solutions I was able to find, let me start off by saying that I enjoy learning new skills, and I am a huge fan of open source tools, and validating paid commercial tools with free tools if possible.  With that said some of the tools I us ..read more