Monday, October 26, 2020

Magnet Weekly CTF (Week 3) - Motion Photos

Previous: Week 1 | Week 2

Week 3 was an absolute doozy and what a relief to knock it out! Given 3 chances (now 4) to answer it, I definitely needed a few extra to get it correctly.

Challenge 3 (OCT 19-25) Cargo Hold (40)

Which exit did the device user pass by that could have been taken for Cargo?

Monday, October 19, 2020

Magnet Weekly CTF (Week 2) - Chrome Artifacts

Previous: Week 1

Week 2 is here and we have another question for the Magnet Forensics weekly CTF. This week we will delve into some web browser artifacts.

Challenge 2 (OCT 12-18) PIP Install (30)

What domain was most recently viewed via an app that has picture-in-picture capability?

Monday, October 12, 2020

Magnet Weekly CTF (Week 1) - Hosts File


The good folks at Magnet Forensics are hosting a weekly CTF challenge for anyone interested. More details on registration and scoring here. It kicked off this week with a question from Jad.

Challenge 1 (OCT 5-11) - Mapping the Digits (20)

What time was the file that maps names to IP's recently accessed? (Please answer in this format in UTC: mm/dd/yyyy HH:MM:SS)

Monday, August 3, 2020

My First SANS DFIR Summit Experience

This would have been the first year I would have made the trip down to Austin, Texas for the SANS DFIR Summit, but the pandemic really screwed that one up (hopefully next year). Despite the conference going virtual, it went off without too many hitches. There were so many incredible talks from Ryan Benson's on Unfurl, to David Cowen and Matt Seyer's on real time USN/log analysis, to Sarah and Andrew Konunchuk repping Bloomsburg University to fullest in their eDiscover/DFIR discussion. I know I'm leaving out so many others but they were all really incredible. The recordings will eventually be on the SANS YouTube page for those who missed out.

Monday, June 8, 2020

Magnet Virtual Summit 2020 CTF (Windows)

Previous: Egg Hunt | iOS | Memory | Android

The last part of Magnet Virtual Summit CTF once again proved that not everything can be automatically parsed by the tools, you have to dive into the artifacts a bit to pull out the proper answers.