Securinets CTF Banner

Securinets CTF Quals 2025

Forensics Challenges Writeup

Team: Mojo Jojo 38th Place (5th in North Africa) Category: Forensics

Overview

This writeup documents my approach to solving three complex forensics challenges from Securinets CTF Quals 2025, where I competed with Team Mojo Jojo and achieved 38th place and 5th in North Africa.

The challenges required a combination of:

  • Windows disk forensics and registry analysis
  • Memory dump analysis with Volatility
  • Data recovery and file system forensics
  • Malware investigation and behavioral analysis
  • Reverse engineering and cryptographic analysis

3

Challenges Solved

20+

Questions Answered

15+

Tools Used

38th

Place Finish

Challenges

01

Silent Visitor

A user reported suspicious activity on their Windows workstation. Investigation of a disk image revealed a sophisticated malware delivery chain through a malicious npm package.

Key Findings:

  • Phishing email with GitHub repository link
  • Malware delivered via tmpfiles.org
  • Go-based RAT with C2 communication
  • Registry persistence mechanism
  • Hardcoded authentication tokens

Techniques Used:

Registry Forensics Email Analysis Malware Analysis VirusTotal any.run
Read Full Writeup →
02

Lost File

A ransomware-style challenge involving file encryption. Analyze a memory dump and disk image to recover encryption key components and decrypt the target file.

Key Findings:

  • Custom C-based encryption executable
  • AES-256 CBC encryption with SHA256 key derivation
  • Command-line arguments recovered from memory
  • Deleted file recovered from Recycle Bin
  • Multi-component key reconstruction

Techniques Used:

Memory Forensics Reverse Engineering IDA Pro Volatility Cryptography
Read Full Writeup →
03

Recovery

A critical file has been deleted from a storage device. Perform data recovery, analyze file system metadata, and decrypt hidden data using inode timestamps.

Key Findings:

  • Deleted ZIP archive recovery
  • Inode timestamp analysis for key derivation
  • XOR encryption with metadata-based key
  • Steganographic data hiding technique
  • Multi-layer obfuscation strategy

Techniques Used:

File System Forensics Data Recovery Autopsy PhotoRec Cryptography
Read Full Writeup →

Tools & Technologies

Disk Forensics

  • FTK Imager
  • Autopsy
  • Registry Explorer
  • RegRipper
  • PhotoRec/TestDisk
  • debugfs

Memory Analysis

  • Volatility Framework
  • MemProcFS

Malware Analysis

  • VirusTotal
  • any.run
  • strings utility
  • IDA Pro

Programming

  • Python
  • PyCryptodome

Key Takeaways

🔍

Layered Analysis

Success required combining multiple forensics disciplines - disk, memory, and reverse engineering to piece together the complete picture.

🧠

Memory is Critical

Runtime data like command-line arguments and environment variables often only exist in memory and are crucial for investigation.

🔗

Artifact Correlation

Correlating evidence across different sources (disk, memory, network) creates a complete attack timeline.

Dynamic Analysis

When static analysis is challenging (e.g., Go malware), dynamic analysis platforms become essential tools.

💾

Metadata Matters

File system metadata like inode timestamps can contain hidden information critical for solving challenges.

🔐

Crypto Understanding

Understanding encryption algorithms and key derivation methods is essential for data recovery challenges.

Want to Learn More?

Check out the detailed writeups for step-by-step walkthroughs of each challenge.

Silent Visitor Writeup Recovery Writeup Lost File Writeup