https://4n6post.com/tags/forensics/Recent content in Forensics on 4n6Posthttps://4n6post.com/writeups/picoctf/bitlocker-1/2025-10-25Description Jacky is not very knowledgable about the best security passwords and used a simple password to encrypt their BitLocker drive. See if you can break through the encryption! Download the disk image here. Local download - bitlocker-1.dd Solution Using a created docker for johntheripper, I exec and utilized the bitlocker2john.py to extract the hash from the bitlocker image. docker 13 lines FROM python:3.9-slim RUN apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get install -y \ git build-essential pkg-config libssl-dev libgmp-dev yasm zlib1g-dev && \ git clone https://github.https://4n6post.com/writeups/picoctf/bitlocker-2/2025-10-25Description Author: Venax Jacky has learnt about the importance of strong passwords and made sure to encrypt the BitLocker drive with a very long and complex password. We managed to capture the RAM while this drive was opened however. See if you can break through the encryption! Download the disk image here and the RAM dump here. Local download - bitlocker-2.dd Local download - memdump.mem.gz Solution - Using my Volatility Web Docker I wanted to test my Volatility Web Docker setup for this challenge which had the dependency of lacking the bitlocker plugin.https://4n6post.com/writeups/picoctf/event_viewing/2025-10-24A detailed writeup for the “Event Viewing” challenge from picoCTF, covering the analysis of Windows Event Logs to uncover hidden flags.https://4n6post.com/writeups/picoctf/ph4nt0m_1ntrud3r/2025-10-24Description Author: Prince Niyonshuti N. A digital ghost has breached my defenses, and my sensitive data has been stolen! 😱💻 Your mission is to uncover how this phantom intruder infiltrated my system and retrieve the hidden flag. To solve this challenge, you’ll need to analyze the provided PCAP file and track down the attack method. The attacker has cleverly concealed his moves in well timely manner. Dive into the network traffic, apply the right filters and show off your forensic prowess and unmask the digital intruder!https://4n6post.com/writeups/picoctf/red/2025-10-24Description Author: Shuailin Pan (LeConjuror) Description RED, RED, RED, RED Download the image: https://challenge-files.picoctf.net/c_verbal_sleep/831307718b34193b288dde31e557484876fb84978b5818e2627e453a54aa9ba6/red.png What I did First it’s always a good idea to check out if the file claims to be what it is by using file command bash 3 lines file red.png # red.png: PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced I Checked Metadata with Exiftool and cat bash 3 lines sudo apt install libimage-exiftool-perl exiftool red.https://4n6post.com/dockers/cyberchef-data-analysis/2024-01-15Cyberchef is a web app for analyzing and decoding data. It provides a wide range of tools for encoding, decoding, encrypting, decrypting, and manipulating data in various formats. It is designed to be user-friendly and accessible, making it easy for users to perform complex data operations without needing extensive technical knowledge. Portainer Stack yaml 6 lines services: cyber-chef: image: mpepping/cyberchef:latest container_name: CyberChef ports: - "8100:8000"https://4n6post.com/dockers/thehive-incident-response/2024-01-15Ref: Strangebee - Installation TheHive is a scalable, open-source Security Incident Response Platform (SIRP) designed to assist security teams in managing and responding to incidents effectively. It provides a web-based interface for incident management, collaboration, and integration with various security tools, making it suitable for organizations of all sizes. Portainer Stack yaml 24 lines services: hal-thehive: image: thehiveproject/thehive4:4.1 container_name: Thehive4 restart: unless-stopped ports: - "8700:9000" volumes: - ./thehive/config/thehive/application.conf:/etc/thehive/application.conf - ./thehive/volumes/thehive/db:/opt/thp/thehive/db - .https://4n6post.com/writeups/picoctf/diskdisksleuthii/2024-01-01Description All we know is the file with the flag is named down-at-the-bottom.txt… Disk image: dds2-alpine.flag.img.gz https://mercury.picoctf.net/static/b369e0ba3b6ffd2be8164cd3c99c294b/dds2-alpine.flag.img.gz Info Linux: gunzip dds2-alpine.flag.img.gz Goes from 28MB to 128MB dds2-alpine.flag.img Opening in windows shows Disc Corruption Load into Arsenal Image Mounter appears to do something, but very little. Disk Signature: 5D8B75FC MBR Fixed Disk Loading IMG file into FTK does mount the file properly, and can be seen as a Linux file system, which is why Arsenal was unable to mount.https://4n6post.com/writeups/picoctf/enhance/2024-01-01Description Download this image file and find the flag. Download image file https://artifacts.picoctf.net/c/100/drawing.flag.svg Info This one was actually awkward, I accidentally opened it in the text editor first, and it was kinda written there at the bottom. Everything is just unscene because the font size is 0.0001~ Flag picoCTF{3nh4nc3d_aab729dd}https://4n6post.com/writeups/picoctf/extensions/2024-01-01Description This is a really weird text file TXT? Can you find the flag? Info Looking at the file, it actually claims to be a PNG. So just change the extentions to .png and open it. Flag picoCTF{now_you_know_about_extensions}https://4n6post.com/writeups/picoctf/file_types/2024-01-01Description This file was found among some files marked confidential but my pdf reader cannot read it, maybe yours can. You can download the file from here. Info File is a PDF. Cannot be opened as it is Corrupt or broken of sorts. Looking at the file, it appears to be a bash script. I used a text editor but you can just use file Flag.pdf When you run it it gives you 3 options, to choose from.https://4n6post.com/writeups/picoctf/hideme/2024-01-01Description Every file gets a flag. The SOC analyst saw one image been sent back and forth between two people. They decided to investigate and found out that there was more than what meets the eye here. Info Doing a binwalk we get: DECIMAL HEXADECIMAL DESCRIPTION 0 0x0 PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced 41 0x29 Zlib compressed data, compressed 39739 0x9B3B Zip archive data, at least v1.0 to extract, name: secret/ 39804 0x9B7C Zip archive data, at least v2.https://4n6post.com/writeups/picoctf/lookey_here/2024-01-01Description Attackers have hidden information in a very large mass of data in the past, maybe they are still doing it. Download the data here. https://artifacts.picoctf.net/c/125/anthem.flag.txt Info cat anthem.flag.txt | grep picoCTF Flag picoCTF{gr3p_15_@w3s0m3_58f5c024}https://4n6post.com/writeups/picoctf/milkslap/2024-01-01Description 🥛http://mercury.picoctf.net:16940/ Info Went to website: http://mercury.picoctf.net:16940/ Right Click and download image / html / css / js. Saw there was a http://mercury.picoctf.net:16940/concat_v.png so I looked around and found a link for it in the Network tab of the developer tools. curl -O http://mercury.picoctf.net:16940/concat_v.png This got me the concat_v.png which was a vertical image scene when you move your mouse on the webpage. The image would move. The photo itserf doesn’t appear to have anything on it’s face.https://4n6post.com/writeups/picoctf/operation_oni/2024-01-01Description Download this disk image, find the key and log into the remote machine. Note: if you are using the webshell, download and extract the disk image into /tmp not your home directory. https://artifacts.picoctf.net/c/71/disk.img.gz bash 1 lines ssh -i key_file -p 59323 ctf-player@saturn.picoctf.net Flag picoCTF{}https://4n6post.com/writeups/picoctf/operation_orchid/2024-01-01Description Download this image and find the flag. https://artifacts.picoctf.net/c/216/pico.flag.png Info gunzip disk.img.gz Mounted disk.img to /mnt or use FTK Imager Navigate to root directory and find flag.txt.enc and .ash_history The Ash history file contains the command used to encrypt the flag bash 11 lines touch flag.txt nano flag.txt apk get nano apk --help apk add nano nano flag.txt openssl openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567 shred -u flag.https://4n6post.com/writeups/picoctf/shark_on_wire_1/2024-01-01Description We found this packet capture. Recover the flag. https://jupiter.challenges.picoctf.org/static/483e50268fe7e015c49caf51a69063d0/capture.pcap Info Doing a quick Cursery search on the PCAP in wireshark, I did a search on data and jsut quickly looked for anything that jumps out. Alot of data and found picoCTF{N0t_a_fLag} but this is accurate and doesn’t work. How ever if you jump to UDP Stream 6 you get the right one. picoCTF{StaT31355_636f6e6e} Flag picoCTF{StaT31355_636f6e6e} It does tell me this is not a flag, and it’s correct.https://4n6post.com/writeups/picoctf/sidechannel/2024-01-01Description There’s something fishy about this PIN-code checker, can you figure out the PIN and get the flag? Download the PIN checker program here pin_checker Once you’ve figured out the PIN (and gotten the checker program to accept it), connect to the master server using nc saturn.picoctf.net 50364 and provide it the PIN to get your flag. https://artifacts.picoctf.net/c/72/pin_checker bash 1 lines nc saturn.picoctf.net 50364 Info Flag picoCTF{}https://4n6post.com/writeups/picoctf/who_is_it/2023-10-01Description Someone just sent you an email claiming to be Google’s co-founder Larry Page but you suspect a scam. Can you help us identify whose mail server the email actually originated from? Download the email file here. Flag: picoCTF{FirstnameLastname} https://artifacts.picoctf.net/c/499/email-export. Info EML File wants to know who the user likely is. PST Walk EML Viewer, we can quickly look at the header and eventually come down to an IP since the email is coming from lpage@onionmail.