Two forensics CTF challenges I’ve done
10/31/2024: the-registrar
by lolmenow Description: Just carved this memory dump from the scarecrow’s PC! Apparently he told me that his programs on startup was acting weird while trying to register his new software.
Following the clue, I try to find the hive file storing registry: 
Then dump this file at offset 0xb183c10b83e0: 
Open this .dat file using Registry Explorer, startup programs is registered at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run], go there and get the base32 string: 
Decode this base32 string and reverse to get the flag: 
Flag: ictf{tH3_rEg1STry_i5_T0O_c0OL_foR_YOu!}
10/31/2024: the-partraditionalist
by lolmenow Description: The Forensics department over at ictf needs help recovering the flag from this image disk file!
The challenge give me a file, lets check it: 
Check some first line, I notice this image disk file has been corrupted: 
So I use testdisk tool to explore it (I run under sudo mode). Select partition table type = None Result should be like this when use select [ Analyse ]: 
After exploring for a time, I found there are 3 files in Software partition: 
Select all files and copy it to another location. Check these files, I know it use GPG to encrypt message: 
Importing this private key to decrypt message and get the flag: 
Flag: ictf{SH0Uld_i_aDd_my_L1NkeDiN_t0_tHE_6pg_Em4!L??}