BlackHat MEA CTF Qualifications 2024 | Forensics writeup

Hello Everyone….

This writeup covers two forensic challenges from the BlackHat MEA CTF 2024 Qualification round.

Artifact (Easy —90pts)

==============================

The attached file is Registry Hive, I used the RegRipper tool to get the data.

After the tool finished its task, I searched for all .exe files. until I found a suspicious file named DeadPotato-NET4.exe, the execution date was included..

The Flag is : BHFlagY{DeadPotato-NET4.exe_09/08/2024_22:42:13}

NotFS (Medium — 180pts)

==============================

The challenge file is Raw Disk Image, named “Chall.img”

I utilized several tools, including Autopsy and FTK Imager. However, they only extracted six images, none of which contained any useful information.

I finally used TestDisk, a tool designed to recover lost partitions and restore non-booting disks perfect for this challenge.

I found that there is a new Image and a text file, the text file has nothing important so checked the “png”.

The PNG won’t open so I checked the header and the first byte is missing so we will have to edit it.

The Flag is: BHFlagY{8bd8dc3ea7636c5fb8aeb}

Thanks for reading, and I hope you enjoyed it! ❤

LinkedIn : www.linkedin.com/in/omar-mohammed-a1810a2bb