Skip to content

Instantly share code, notes, and snippets.

@Roxiun

Roxiun/DFIR.md

Last active July 8, 2020 04:12
Show Gist options
  • Save Roxiun/f7c0cf7835626ac38aa3b88aff5de184 to your computer and use it in GitHub Desktop.
Save Roxiun/f7c0cf7835626ac38aa3b88aff5de184 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
DFIR.md

DFIR CTF

What is it?

Digital Forensics and Incident Response

Where is it found

The primary competition we have done with lots of DFIR problems is WACTF.

DEFCON DFIR and Otter CTF are both good places to practice DFIR problems.

Tools Required

All OSes

  • Autopsy - Disk Images (Eg. .img)
  • Volatility - Memory Dumps (Eg. .mem)
  • RegRipper - Registry Dumps (Eg. NTUSER.dat)

Windows Only

  • RegRipper (GUI Version)
  • FTK Imager

Basic Tools Usage

Autopsy

  1. Open Autopsy
  2. Create New case
  3. Open disk image file
  4. Analyse

Volatility

  1. Find the profile - volatility -f triage.mem imageinfo
  2. Run the desired analysis tool using the --profile=<profile_here> flag

RegRipper

Useful Commands

Utility Command
Get all Info for i in $( rip -l -c | grep NTUSER.DAT | cut -d , -f1 ); do rip -p $i -r NTUSER.DAT &>> case1.txt ; done
List installed Programs rip -p listsoft -r NTUSER.DAT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment