2019-08-14

2019 Unofficial DEFCON DFIR CTF Writeups


The CTF

First a shout out to the Champlain College Digital Forensics Association (@champdfa) for putting together an awesome CTF and to David Cowen for making it public. For those who aren’t aware David has authored and run a number of awesome CTFs over the last few years, including an Unofficial DEFCON DFIR CTF released during the week of DEFCON. Each one of them has been great fun and an awesome learning experience.

This year, due to other commitments, he was hard pressed to design one from scratch. Fortunately CCDFA came to the rescue and David hosted the CTF based upon a dataset and questions which they had previously designed. Details of the CTF can be found here

I’ve never put together a CTF write-up before, but I have often benefited from those written by others. It's great as a learning tool and to help understand other people’s processes when solving these types of challenges. So here goes nothing.

If of interest to anyone, I had no access to my usual commercial tools during this CTF and as such the majority was solved using the following (some I have personal/home use licenses for):

  • FTK Imager (4.1.1.1) - Until I noticed I was out of date and a bug was impeding progress!
  • FTK Imager (4.2.1.4) - Much better
  • Autopsy (4.12)
  • Eric Zimmerman's tools (including KAPE)
  • Volatility 2.6
  • 7Zip
  • 010 Editor 8.0.1
  • Arsenal Image Mounter (3.0.64)
  • Passware Kit Standard (2019.3.2)
I'll be releasing the write-up as a single post per section of the CTF, these are:
  1. DFA Crypto Challenge
  2. Deadbox Forensics
  3. Linux Forensics
  4. Memory Forensics
  5. Triage VM Questions