I remember thinking last week that they hit a lot of the common memory analysis tasks with Volatility so I was thinking “I hope they give us a challenge on the next one”. Question 1 The questions started off rather easy, asking about a connection to a Google server. …

Well, this was a rather lengthy one, so we’ll just get started. This month the CTF is focused on a Windows Memory image. Part 1 Question: The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. I found this one in a…

This week was more centered around Incident Response, which isn’t normally in my wheelhouse, so I Was excited to maybe learn a few tricks. Part 1 The first part of the question was asking what package was installed by the attacker. Considering some of the previous questions, I immediately went to a…

OK, this week was short and sweet, more of a scavenger hunt style. A much needed break from the last couple weeks which have been pretty rough. Part 1 Question: What is the IP address of the HDFS primary node? I went looking around the typical Linux places, but remembered we were…

This weeks challenge was a two parter. It looks like most people were able to get the first part right, but the second part seemed to stump quite a few folks. I did have a lot of trouble with the second part, but not nearly as much as last week’s…

Ok, well this week I knew was going to be rough, but I didn’t know I was going to need this much luck. This week’s question was a bit “off the beaten path” in terms of forensics, the question was to find the file name associated with a block ID…

This week’s task was to find a GUID related to “phishing”. Now, because I had done the CTF put on by Magnet this summer in-lieu of their in-person Summit, I had a hunch on where to begin. So I immediately went to the Evernote application folder “/data/com.evernote/files/” and found the…

Trying my hand at this blogging thing. I’ve enjoyed the weekly CTFs that Magnet has been putting on. I found this week pretty interesting and I don’t think I would have figured it out had it not been for the hint dropped in the weekly webcast. Cargo Hold The question asked “Which…