Howdy All! Every so often—never mind how often precisely—having signed myself up for or having nothing particular to interest me in my other hobbies, I thought I would create some Forensics CTFs, Challenges, Data, etc and wade into giving back to the forensics community. It is a way I have of driving off the stagnation of life and reinvigorating my love of this field.
Enclosed are my challenges, faults and all.
I have attempted to keep this repo neat, tidy, and aproachable. Get started by reading the tables of contents, and navigating to a challenge.
| Date | Title | Challenge Description |
|---|---|---|
| October 2019 | AnyCon CTFs | A collection of 18 challenges based off a Windows server KAPE collection. Players learn the importance of windows event logs such as Sysmon, Security, and System. Players work with a dataset containing malicious powershell, evil lateral movement, a malicious backdoor from a semi-common C2 framework, and tests their open source intelligence skills. The challenge builds in complexity as they continue, and when all is said and done, players have an understanding of this incident on this machine. Readme Here. |
| Fall 2020 | Central New York Hackathon Forensics CTF | A collection of 6 CTF style questions based on a simple IR scenario. The case involves a Windows Server and a Windows 10 Workstation. Players learn about the importance of timestamps, conversion, processes, eventlogs, execution artifacts, timelining, working with triage data, and more! Raw data in both KAPE Collections and Redline packages are provided as well for both systems. Readme Here. |
| Spring 2021 | Central New York Hackathon Forensics CTF | A collection of 6 CTF style questions based on a Jenkins Data Directory. The case has a few log analysis questions, however mainly focuses on the Jenkins Pipelines/Jobs data present. Raw Data for the Ubuntu server via a CyLR collection, and a memory capture via AVML are present. The Docker logs and /var/jenkins_home directory are available for the Jenkins Docker Container. Readme Here. |
| Fall 2021 | Central New York Hackathon Forensics CTF | 5 beginner friendly CTF style questions revolving around a Kansa Autoruns and process listing on 7 Windows hosts. Players learn the basics of windows threat hunting, stacking (frequency analysis), Persistence mechanism review, windows process listing review, identification of rouge processes, and gain exposure to benign windows processes. Readme Here. |
| Links | Notes |
|---|---|
| Lessons Learned | I will not claim to have a lot of knowledge or really even have good challenges. I try to keep a running list of all the stuff I have learned. |
| Homelab Setup | I documented my homelab configuration here. The main purpose of my homelab these days is to run an environment to these challenges, and host infrastructure for attack and defense. |
| AVML | AVML is Microsoft’s Linux Memory Capture tool. |
| KAPE | KAPE is a fantastic collector and parsing tool. |
| CyLR | While CyLR is no longer actively maintained, it is still a really fast, easy, lightweight collection tool. |
| Redline | Redline is both a very decent collection tool and powerfull analysis platform. This makes timeline analysis pretty easy and fun. |
| Kansa | Kansa is a powershell based IR framework. It has sadly received few updates in the past few years but it still has a few advantages. Its pretty fast, has virtually no host dependencies, does not require deployment and maintenance of a host agent or central server, and has collection capabilities ‘out of the box’. |