Skip to content
CTF

Forensics

Memory analysis, disk forensics, and artifact extraction

Memory Analysis (Volatility)

Profile Detection

BASH 
# Volatility 2
volatility -f memory.raw imageinfo
volatility -f memory.raw kdbgscan

# Volatility 3 (auto-detect)
vol.py -f memory.raw windows.info

Process Analysis

BASH 
# List processes
volatility -f mem.raw --profile=Win7SP1x64 pslist
volatility -f mem.raw --profile=Win7SP1x64 pstree
volatility -f mem.raw --profile=Win7SP1x64 psscan  # Hidden processes

# Vol3
vol.py -f mem.raw windows.pslist
vol.py -f mem.raw windows.pstree

Dump Process

BASH 
# Dump specific process
volatility -f mem.raw --profile=Win7SP1x64 procdump -p 1234 -D output/

# Dump memory of process
volatility -f mem.raw --profile=Win7SP1x64 memdump -p 1234 -D output/

Network

BASH 
volatility -f mem.raw --profile=Win7SP1x64 netscan
volatility -f mem.raw --profile=Win7SP1x64 connections

Registry

BASH 
volatility -f mem.raw --profile=Win7SP1x64 hivelist
volatility -f mem.raw --profile=Win7SP1x64 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"

Malware Indicators

BASH 
volatility -f mem.raw --profile=Win7SP1x64 malfind
volatility -f mem.raw --profile=Win7SP1x64 cmdline
volatility -f mem.raw --profile=Win7SP1x64 consoles

Disk Forensics

Mount Images

BASH 
# Mount disk image
sudo mount -o loop,ro disk.img /mnt/evidence

# Mount with offset (for partitions)
fdisk -l disk.img  # Find offset
sudo mount -o loop,ro,offset=$((512*2048)) disk.img /mnt/evidence

Autopsy/Sleuthkit

BASH 
# Create timeline
fls -r -m "/" disk.img > bodyfile.txt
mactime -b bodyfile.txt > timeline.txt

# File recovery
icat disk.img 12345 > recovered_file

# Search for files
fls -r disk.img | grep -i "secret"

Deleted File Recovery

BASH 
# Foremost
foremost -i disk.img -o output/

# Scalpel
scalpel disk.img -o output/

# PhotoRec
photorec disk.img

Network Forensics

Wireshark Filters

TEXT 
# HTTP
http.request.method == "POST"
http contains "password"
http.cookie contains "session"

# DNS
dns.qry.name contains "evil"

# Follow stream
Right-click → Follow → TCP Stream

Tshark CLI

BASH 
# Extract files from HTTP
tshark -r capture.pcap --export-objects "http,output/"

# Get all URLs
tshark -r capture.pcap -T fields -e http.request.full_uri

# DNS queries
tshark -r capture.pcap -Y "dns.qry.type == 1" -T fields -e dns.qry.name

NetworkMiner

TEXT 
- Automatic file extraction
- Credential detection
- Session reconstruction

File Carving

BASH 
# binwalk - Embedded files
binwalk -e suspicious_file
binwalk --dd='.*' suspicious_file

# foremost - Carve by headers
foremost -i disk.img -o output/

# scalpel - Configurable carving
scalpel -c /etc/scalpel/scalpel.conf disk.img

Windows Artifacts

Important Locations

TEXT 
# Recent files
C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\

# Prefetch
C:\Windows\Prefetch\

# Event logs
C:\Windows\System32\winevt\Logs\

# Browser history
C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History

# USB history
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

Registry Analysis

BASH 
# RegRipper
regripper -r NTUSER.DAT -f ntuser

# Parse SAM for hashes
secretsdump.py -sam SAM -system SYSTEM LOCAL

Linux Artifacts

Important Locations

BASH 
# Command history
~/.bash_history
~/.zsh_history

# Logs
/var/log/auth.log
/var/log/syslog
/var/log/apache2/access.log

# Cron
/var/spool/cron/crontabs/
/etc/crontab

Quick Wins

BASH 
# Strings in memory dump
strings -n 8 mem.raw | grep -i password
strings -el mem.raw | grep -i flag

# Search for flags
grep -r "flag{" /mnt/evidence/
grep -raoP "flag\{[^\}]+\}" memory.raw
Back to Cheatsheets
On this page