So you’ve selected forensics, huh? Alright, well let’s get you started with some helpful material to learn all about forensics.
What is Forensics?
In a CTF context, “Forensics” challenges can include file format analysis, steganography, memory dump analysis, hard drive analysis, or network packet capture analysis. Any challenge to examine and process a hidden piece of information out of static data files (as opposed to executable programs or remote servers) could be considered a Forensics challenge (unless it involves cryptography, in which case it probably belongs in the Crypto category).
Forensics is a broad CTF category that does not map well to any particular job role in the security industry, although some challenges model the kinds of tasks seen in Incident Response (IR). Even in IR work, computer forensics is usually the domain of law enforcement seeking evidentiary data and attribution, rather than the commercial incident responder who may just be interested in expelling an attacker and/or restoring system integrity.
Forensics is seen as a very beginner-friendly category, solely as it’s an even-playing field. Whereas with a category like Reversing in that you may have a significant advantage over other players if you have an a pro license of a tool, realistically there’s no paid tool that gives that type of advantage in Forensics.
Prerequisites
Before getting into binary exploitation, there are some things you will need to have. They are listed below:
- Virtual Machine – Kali Linux (https://www.kali.org/get-kali/)
- Python (https://www.python.org/downloads/)
- Volatility (more info in the Volatility section)
- Wireshark
- Network Miner
Volatility
Helpful Links
A great place for forensics-style labs is BlueTeamLabs.
Watch this John Hammond video covering Volatility in more detail.
You can practice challenges on PicoGym. John Hammond also does a YouTube video series where he covers some of these challenges. This can be found here.
Leave a Reply