Introduction
This collection covers MetaCTF On Demand Labs - a series of digital forensics challenges perfect for beginners. These walkthroughs demonstrate fundamental DFIR techniques including file analysis, network packet inspection, metadata extraction, and basic steganography.
Difficulty: Beginner to Intermediate
Skills Covered: File type identification, Wireshark, exiftool, base64 encoding, hex editors, SQLite forensics
I’ve Got The Magic
File provided: magicinme
Solution
By typing file magicinme into our terminal - we discover the file type without the file having the correct extension (i.e .7z or .zip).
We then add the correct extension to the file:
mv magicinme magicinme.7z
Then, we unzip with:
7z e magicinme.7z
Open the file with xdg-open flag.jpg
Key Takeaway: The file command identifies file types by analyzing magic bytes, not file extensions.
Forensics, Here I Come
xxd -l 2 [filename]Breakdown of the command:
xxd: Creates a hex dump of a file-l 2: Limits the output to the first 2 bytes[filename]: The file you want to examine
Example output for a Windows executable:
Key Takeaway: The magic bytes 4D 5A (MZ) identify Windows PE executables.
Can PowerShell Please Join Us On the Stage?
To solve this we take the base64 encoded blob and throw it into CyberChef selecting From Base64 and dragging it into the Recipe Section.
In PowerShell, the flag -eC (or -EncodedCommand) tells PowerShell to expect the following argument as a Base64-encoded string that represents the script/command to run.
Use the recipe:
From Base64Decode Text UTF-16LE (1200)
Key Takeaway: PowerShell -EncodedCommand uses UTF-16LE encoded Base64 to obfuscate malicious commands.
On The Wire
Opening the provided .pcap file in Wireshark shows plaintext unencrypted credentials in the packet stream.
Key Takeaway: Never transmit credentials over unencrypted protocols. Always use TLS/SSL.
Anonymoose
Using exiftool we are able to view the metadata in the provided PDF:
exiftool D34DM0053_Open_Letter_Mental_Health.pdf
Key Takeaway: Document metadata often contains valuable information about the creator, software used, and editing history.
runCAPTCHA
Visiting the provided URL - Right click > Inspect brings up Google Chrome’s Developer Tools.
We find a function that looks suspicious:
From here we take this Base64 blob and bring it into CyberChef using the From Base64 and Decode Text UTF-16LE (1200) recipes.
From here we find the malicious URL and our flag:
Key Takeaway: JavaScript can be obfuscated using Base64 encoding to hide malicious URLs and behavior.
Browser, Wowser
Knowing what we are looking for "MetaCTF", we can use strings to extract the flag with minimal effort:
strings places.sqlite | grep MetaCTF{
Key Takeaway: Browser artifacts like places.sqlite (Firefox) contain browsing history that can be extracted with forensic tools or simple string searches.
Spam to Ham
This challenge gives us an email that was intercepted with base64 encoded contents. Inspecting the file reveals a clue: I've attached an image in this email.
Taking the large base64 encoded blob and putting it into CyberChef shows PNG magic bytes.
Copy the base64 into a file named flag.64:
Decode it:
base64 -d flag.64 > flag_64.pngfile flag_64.png
Key Takeaway: Email attachments can be embedded as base64-encoded content in the message body.
Flags Over The Wire
- Open the PCAP in Wireshark
- In the menu: File → Export Objects → FTP-DATA…
- Select
flags.zipand click Save…
- Unzip and find
flags.png
Key Takeaway: Wireshark can automatically extract files transferred over various protocols (HTTP, FTP, SMB, etc.) using the Export Objects feature.
Corruption
“Oh no! I tried downloading a picture for my upcoming conference talk but it won’t open! Can you see if you can fix it and open it?”
Use file to identify file type:
file corrupted.png
It looks like a PDF! Use pdfimages to extract images:
pdfimages -list corrupted.pngmkdir -p recovered/pdfimages && pdfimages -all corrupted.png recovered/pdfimages/img
Opening the recovered PNG reveals the flag:
Key Takeaway: File format corruption can often be fixed by understanding the file structure and manually repairing magic bytes or headers.
All Your Files are Mine
Use file to identify the file type:
file abc.xyz
It’s a zip file! Rename and extract:
mv abc.xyz abc.xyz.zip7z e abc.xyz.zip
Open evil_plan.txt to find the flag:
Key Takeaway: Malicious actors often disguise file types using incorrect extensions. Always verify with the file command.
Top Secret
“The folks at NSA got too tired of having to physically print out and redact documents, so they decided to try a new digital tool. Check out how good it is at doing its job on this redacted document.”
The PDF only overlays black rectangles in its content stream; the underlying JPEG still contains the unredacted text, so direct image extraction bypasses the redaction:
pdfimages -all Nuclear_Codes_REDACTED.pdf img
Use OCR to extract text:
tesseract img-000.jpg stdout
Or just open the jpg manually:
Key Takeaway: Improper redaction techniques (like overlaying black boxes) don’t actually remove sensitive information from documents. Proper redaction requires permanently removing the data.
Remote Data Pwnage 2 (Part 1)
“A malicious actor compromised a machine on our network and used it as a proxy to perform other attacks and connect to other machines. Our IR team managed to recover a partial file system dump of that machine. Take a look and see if you can reconstruct anything useful.”
Looking in C:\Administrator\AppData\Local\Microsoft\Terminal Server Client\Cache\ we find a .bin file:
We can use bmc-tools.py to extract thousands of image fragments:
The entire collage looks like this:
Very difficult to figure out what is going on here. For this, we use RdpCacheStitcher.
This can be quite time consuming to piece together all of these individual frames:
From here we can take frames and piece them together manually - like putting together pieces of a puzzle but for digital forensics:
Key Takeaway: RDP cache files can be reconstructed to reveal what was displayed on screen during remote sessions, making them valuable artifacts in forensic investigations.
Summary & Key Takeaways
Essential Tools for Digital Forensics
- file - Identify file types by magic bytes
- xxd/hexdump - Hex editors for low-level file analysis
- strings - Extract readable strings from binary files
- exiftool - Metadata extraction from documents and images
- CyberChef - Swiss Army knife for encoding/decoding
- Wireshark - Network traffic analysis and packet inspection
- SQLite Browser - Examine browser history and application databases
- base64 - Decode Base64-encoded data
Forensic Concepts Covered
- Magic Bytes: File type identification independent of extension
- Metadata Analysis: Documents contain hidden information about creators and tools
- Network Forensics: Unencrypted protocols leak sensitive data
- Browser Artifacts: History databases preserve user activity
- Obfuscation Techniques: Base64 encoding commonly hides malicious content
- File Carving: Extract embedded or transferred files from larger datasets
- File Repair: Understanding file formats enables manual corruption fixes
Best Practices
- Always verify file types with
filecommand, not extensions - Use encrypted protocols (HTTPS, SFTP, SSH) for sensitive data transmission
- Check document metadata before sharing to avoid information leakage
- Understand common obfuscation techniques (Base64, hex encoding, compression)
- Master CyberChef for quick encoding/decoding tasks
- Practice with different file formats to recognize corruption patterns
Conclusion
These challenges provide an excellent introduction to digital forensics fundamentals. They demonstrate that many forensic tasks don’t require specialized tools - often, standard Linux utilities combined with an understanding of file formats and protocols are sufficient.
Next Steps:
- Practice with more complex challenges involving memory forensics (Volatility)
- Learn disk forensics with tools like Autopsy and FTK Imager
- Explore malware analysis and reverse engineering
- Study incident response frameworks (NIST, SANS)
Resources:
Happy hunting! 🕵️♂️