From a2099adf1fa5d54d5642c6f67deed5c1344b18b3 Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Tue, 23 Jun 2026 20:52:47 +0300
Subject: [PATCH 01/16] Update README.md
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../02-evidence-acquisition/reading/README.md | 204 ++++++++++++++++--
1 file changed, 191 insertions(+), 13 deletions(-)
diff --git a/chapters/digital-forensics-fundamentals/02-evidence-acquisition/reading/README.md b/chapters/digital-forensics-fundamentals/02-evidence-acquisition/reading/README.md
index f57e764..408d246 100644
--- a/chapters/digital-forensics-fundamentals/02-evidence-acquisition/reading/README.md
+++ b/chapters/digital-forensics-fundamentals/02-evidence-acquisition/reading/README.md
@@ -10,7 +10,7 @@ Before touching any system:
- prepare the forensic workstation:
- write blocker, imaging tools, and hashing tools ready
- storage media wiped
-- make note of every step taken in a documentation template
+- make note of every step taken
After an incident has been identified and scoped, next comes the evidence collection phase.
Collected evidence must:
@@ -62,11 +62,31 @@ Commonly used algorithms:
#### Usage examples
-``` sh/cmd/PowerShell
+``` bash
sha256sum
md5sum
-certutil.exe -hashfile SHA1
-Get-FileHash -Algorithm MD5
+```
+
+``` powershell
+> certutil.exe -hashfile .\indicators.csv
+SHA1 hash of .\indicators.csv:
+c3c60d608ba2ce8dcf6303b84d42f8e8a5cde766
+> certutil.exe -hashfile .\indicators.csv SHA256
+SHA256 hash of .\indicators.csv:
+35fa7037c4218fbf61462f80f250c971bfb318ca1ae6a229f1f93ff6810adffc
+> certutil.exe -hashfile .\indicators.csv MD5
+MD5 hash of .\indicators.csv:
+c9f752858cc253b2a48f712c0f74f3de
+
+> Get-FileHash .\indicators.csv | Format-List
+Algorithm : SHA256
+Hash : 35FA7037C4218FBF61462F80F250C971BFB318CA1AE6A229F1F93FF6810ADFFC
+Path : [..]\indicators.csv
+> Get-FileHash .\indicators.csv -Algorithm SHA1 | Format-List
+Algorithm : SHA1
+Hash : C3C60D608BA2CE8DCF6303B84D42F8E8A5CDE766
+Path : [..]\indicators.csv
+
```
## Evidence volatility
@@ -98,13 +118,13 @@ Disk artifacts may include:
- **information about file system metadata**
- linux: inode table, ext4 journal
- - windows: $MFT file
+ - windows: $MFT file, $LogFile
- **evidence of execution**
- linux: syslog, systemd journal logs, `.bash_history`, `.zsh_history`
- windows: Prefetch files, SRUM
- **evidence of past file presence**
- linux: ext4 journal
- - windows: USN Journal, Windows Search Index
+ - windows: USN Journal, AmCache, Windows Search Index
- **evidence of network communication**
- linux: `/var/log/ufw.log`, `/var/log/auth.log`
- windows: BITS Database
@@ -145,6 +165,62 @@ Common formats:
In practice, `E01` is used for most investigations for the integrity verification, compression, and metadata.
`Raw (dd)` is used when interoperability is the priority.
+### dd
+
+`dd` is a command-line utility that copies, converts and formats data.
+`dc3dd` is a fork of `dd` that does hash verification and logging as well.
+We will use it to take a disk image on unix.
+
+``` bash
+# first we create a 100MB file to use as a practice disk
+$ dd if=/dev/zero of=/data/sss-evidence/practice.img bs=1M count=100
+[..]
+104857600 bytes (105 MB, 100 MiB) copied, 0.865699 s, 121 MB/s
+
+# we create a filesystem and put some data on it
+$ mkfs.ext4 /data/sss-evidence/practice.img
+mke2fs 1.46.2 (28-Feb-2021)
+[..]
+Writing superblocks and filesystem accounting information: done
+$ sudo mkdir -p /mnt/practice
+$ sudo mount -o loop /data/sss-evidence/practice.img /mnt/practice
+$ echo "evidence file content" | sudo tee /mnt/practice/noticeme.txt
+evidence file content
+$ sudo umount /mnt/practice
+
+# we attach it as a read only device to prevent writes to the source
+$ sudo losetup --read-only --find --show /data/sss-evidence/practice.img
+/dev/loop0
+# we check it's read only
+$ sudo blockdev --getro /dev/loop0
+1
+# we double check it's read only
+$ sudo dd if=/dev/zero of=/dev/loop0 bs=512 count=1
+dd: error writing '/dev/loop0': Operation not permitted
+[..]
+
+# we take a raw image with dc3dd
+$ sudo dc3dd if=/dev/loop0 of=/data/sss-evidence/practice.raw hash=sha256 log=/data/sss-evidence/practice.log hlog=/data/sss-evidence/practice.hashes
+dc3dd 7.2.646 started at 2026-06-22 09:36:21 +0000
+compiled options:
+command line: dc3dd if=/dev/loop0 of=/data/sss-evidence/practice.raw hash=sha256 log=/data/sss-evidence/practice.log hlog=/data/sss-evidence/practice.hashes
+device size: 204800 sectors (probed), 104,857,600 bytes
+sector size: 512 bytes (probed)
+ 104857600 bytes ( 100 M ) copied ( 100% ), 1 s, 75 M/s
+input results for device `/dev/loop0':
+ 204800 sectors in
+ 0 bad sectors replaced by zeros
+ 51aa6ad4ee06375a71c32d6f9cd93ce352859f1c9698c01e0281bb790de8da0a (sha256)
+output results for file `/data/sss-evidence/practice.raw':
+ 204800 sectors out
+dc3dd completed at 2026-06-22 09:36:22 +0000
+# we verify the hashes
+$ sha256sum practice.raw
+51aa6ad4ee06375a71c32d6f9cd93ce352859f1c9698c01e0281bb790de8da0a practice.raw
+$ sha256sum practice.img
+51aa6ad4ee06375a71c32d6f9cd93ce352859f1c9698c01e0281bb790de8da0a practice.img
+```
+
### [UAC](https://github.com/tclahr/uac) - Unix-like Artifacts Collector
Live collection tool for Unix-like operating systems.
@@ -155,7 +231,57 @@ UAC comes with two basic predefined profiles:
Usage:
-`./uac -p ir_triage /tmp # Collect all artifacts based on the ir_triage profile, and save the output file to /tmp.`
+``` bash
+# we collect all artifacts based on the ir_triage profile and save the outputs to /tmp
+sss@sss:~/uac-3.3.0$ sudo ./uac -p ir_triage /tmp
+--------------------------------------------------------------------------------
+ ___ ___
+ | \ | | |
+ | / | | |
+ | | | |
+ |_ |___| |
+ |_________|
+
+ Unix-like Artifacts Collector 3.3.0
+--------------------------------------------------------------------------------
+Operating System : linux
+System Architecture : x86_64
+CPU : AMD Ryzen [..] with Radeon Graphics @ 1896 Mhz
+Memory Size : 3960 MB
+Hostname : sss
+Time Zone : Europe/Bucharest
+Mount Point : /
+Running as : root
+Temp Directory : /tmp/uac-data.tmp
+--------------------------------------------------------------------------------
+Artifacts collection started...
+[001/219] 2026-06-22 13:06:36 +0300 live_response/process/ps.yaml
+[002/219] 2026-06-22 13:06:37 +0300 live_response/process/lsof.yaml
+[003/219] 2026-06-22 13:06:38 +0300 live_response/process/top.yaml
+[004/219] 2026-06-22 13:06:38 +0300 live_response/process/procfs_information.yaml
+[..]
+# we check the hashes
+$ cat /tmp/uac-sss-linux-20260622130635.log
+Created by UAC (Unix-like Artifacts Collector) 3.3.0
+[..]
+[System Information]
+Operating System: linux
+System Architecture: x86_64
+Hostname: sss
+[Acquisition Information]
+Mount Point: /
+Acquisition Started: Mon Jun 22 13:06:36 2026 +0300
+Acquisition Finished: Mon Jun 22 13:15:43 2026 +0300
+[Output Information]
+File: uac-sss-linux-20260622130635.tar.gz
+Format: tar
+[Computed Hashes]
+MD5 checksum: c1ba1586c0d7eb5d57cf0e557454751f
+SHA1 checksum: b476fec2c450c08fb3f6bc7cd387065a723329f7
+# we verify the hashes
+$ sha1sum /tmp/uac-sss-linux-20260622130635.tar.gz
+b476fec2c450c08fb3f6bc7cd387065a723329f7 /tmp/uac-sss-linux-20260622130635.tar.gz
+```

@@ -182,6 +308,50 @@ Options:
- [JLECmd](https://github.com/EricZimmerman/JLECmd) (jumplist parser)
- [LECmd](https://github.com/EricZimmerman/LECmd) (parser for shortcut files)
+``` powershell
+# we run KAPE to extract targets and process modules
+PS E:\KAPE> .\kape.exe --tsource C:\ --tdest E:\kapeoutput\targets --target !BasicCollection --tflush --mdest E:\kapeoutput\modules --module !EZParser --mflush
+System info: Machine name: TEST, 64-bit: True, User: test1 OS: Windows10 (10.0.26200)
+Using Target operations
+ Flushing target destination directory E:\kapeoutput\targets
+ Creating target destination directory E:\kapeoutput\targets
+Found 12 targets. Expanding targets to file list...
+Found 1,070 files in 4.185 seconds. Beginning copy...
+ Deferring C:\Windows\System32\winevt\logs\Application.evtx due to IOException...
+ Deferring C:\Windows\System32\winevt\logs\HardwareEvents.evtx due to IOException...
+[..]
+Deferred file count: 257. Copying locked files...
+ Copied deferred file C:\Windows\System32\winevt\logs\Application.evtx to E:\kapeoutput\targets\C\Windows\System32\winevt\logs\Application.evtx. Hashing source file...
+[..]
+Copied 930 (Deduplicated: 140) out of 1,070 files in 780.0411 seconds. See E:\kapeoutput\targets\2026-06-23T12_53_52_9931707_CopyLog.csv for copy details
+
+Using Module operations
+ Setting --msource to E:\kapeoutput\targets since --msource was not provided
+ Flushing module destination directory E:\kapeoutput\modules
+ Creating module destination directory E:\kapeoutput\modules
+ Module AmcacheParser: Found 1 processor
+ Found processor Executable: AmcacheParser.exe, Cmd line: -f %sourceFile% --csv %destinationDirectory% -i --mp, Export: csv, Append: False!
+[..]
+ Module MFTECmd: Found 4 processors
+ Module MFTECmd_$Boot: Found 2 processors
+ Found processor Executable: MFTECmd.exe, Cmd line: -f %sourceFile% --csv %destinationDirectory%, Export: csv, Append: False!
+ Module MFTECmd_$MFT: Found 2 processors
+ Found processor Executable: MFTECmd.exe, Cmd line: -f %sourceFile% --csv %destinationDirectory%, Export: csv, Append: False!
+ Module MFTECmd_$J: Found 2 processors
+ Found processor Executable: MFTECmd.exe, Cmd line: -f %sourceFile% --csv %destinationDirectory%, Export: csv, Append: False!
+[..]
+Discovered 18 processors to run
+Executing modules with file masks...
+ Running AmcacheParser.exe: -f "E:\kapeoutput\targets\C\Windows\appcompat\Programs\Amcache.hve" --csv E:\kapeoutput\modules\ProgramExecution -i --mp
+ Running AppCompatCacheParser.exe: -f "E:\kapeoutput\targets\C\Windows\System32\config\SYSTEM" --csv E:\kapeoutput\modules\ProgramExecution
+ Running MFTECmd.exe: -f "E:\kapeoutput\targets\C\$Boot" --csv E:\kapeoutput\modules\FileSystem
+ Running MFTECmd.exe: -f "E:\kapeoutput\targets\C\$MFT" --csv E:\kapeoutput\modules\FileSystem
+[..]
+Executed 18 processors in 805.5887 seconds
+
+Total execution time: 1,585.7123 seconds
+```
+

_image source: `ericzimmerman.github.io`_
@@ -341,17 +511,25 @@ _image source: `docs.velociraptor.app`_
## Drills
-### Challenge 1
+### before-it-disappears
+
+A service seems to have crashed unexpectedly, leaving behind a dump and a binary.
+Could you reconstruct what the program was doing?
+
+### broken-seal
-Description
+We received a collection of KAPE triage artifacts, so we must follow procedure before we touch anything.
-### Challenge 2
+### droopy
-Description
+In the same set of artifacts from broken-seal, the attackers tried to cover their tracks but left behind the exact source of the payload.
+The flag format is SSS{ip:port/something}
-### Challenge 3
+### ospaperleak
-Description
+This was a clumsy attacker.
+They dropped all sorts of payloads among which a 32 bit one, see if you can find it.
+The flag format is SSS{SHA1}
## Further practice
From 216196a0f48a441802ebedcc7e49ddbdaab60e1a Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Wed, 24 Jun 2026 10:16:36 +0300
Subject: [PATCH 02/16] Update README.md
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../02-evidence-acquisition/reading/README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/chapters/digital-forensics-fundamentals/02-evidence-acquisition/reading/README.md b/chapters/digital-forensics-fundamentals/02-evidence-acquisition/reading/README.md
index 408d246..43ee0e4 100644
--- a/chapters/digital-forensics-fundamentals/02-evidence-acquisition/reading/README.md
+++ b/chapters/digital-forensics-fundamentals/02-evidence-acquisition/reading/README.md
@@ -301,6 +301,7 @@ Options:
- KAPE - Kroll Artifact Parser and Extractor
- can be used to collect the most critical artifacts prior to the start of the imaging process
- while the imaging completes, the data generated by KAPE can be reviewed for leads, building timelines, etc.
+- [Timeline Explorer](https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip) (analyze the parsed artifacts)
- [MFTECmd](https://github.com/EricZimmerman/MFTECmd) (extract and parse MFT and USN Journal)
- [PECmd](https://github.com/EricZimmerman/PECmd) (Prefetch parser)
- [Registry Explorer](https://ericzimmerman.github.io/#forensic-tools) (parser and viewer, fixes dirty hives)
From 8c2e5244bea064eb1eb79dc04658a39503612905 Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Wed, 24 Jun 2026 13:59:02 +0300
Subject: [PATCH 03/16] Update README.md lesson 3
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../03-file-systems/reading/README.md | 71 ++++++++++++++++---
1 file changed, 63 insertions(+), 8 deletions(-)
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md b/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md
index 404d106..de8c9e8 100644
--- a/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md
@@ -109,8 +109,6 @@ When a file is deleted in EXT4, the operating system does not overwrite or delet
It only marks the inode as free and removes the directory entry that mapped the filename to that inode.
The data blocks themselves are marked as available, but their contents remain on disk until the OS overwrites them with new data.
-That is why file recovery is possible: if the inode has not been reallocated and the data blocks not overwritten, we can recover both the metadata and the file contents.
-
**Unallocated space** means the filesystem deems those blocks free to be written, not necessarily empty.
**Slack space** means the space left after a file has been allocated.
@@ -143,8 +141,19 @@ _image source: `ntfs.com`_
- an NTFS volume starts with the Partition Boot Sector (**$Boot** metadata file), beginning at sector 0 and can be up to 16 sectors
- `$Boot` describes NTFS volume information (bytes per sector, sectors per cluster, etc) and the location of the $MFT
+
+``` powershell
+Line Tag Entry Point Signature Bytes Per Sector Sectors Per Cluster Cluster Size Reserved Sectors Total Sectors Mft Cluster Block Number Mft Mirr Cluster Block Number Mft Entry Size Index Entry Size
+1 Unchecked 0xEB 0x52 0x90 NTFS 512 8 4096 0 132157439 786432 2 1024 4096 [..]
+```
+
- `$MFT` is the main metadata file, each file in the NTFS volume is represented by a record in this table
+``` powershell
+Line Tag Entry Number Sequence Number Parent Entry Number Parent Sequence Number In Use Parent Path File Name Extension Is Directory Has Ads Is Ads File Size Created0x10 Created0x30 Last Modified0x10 Last Modified0x30 Last Record Change0x10 Last Record Change0x30 Last Access0x10 Last Access0x30 Zone Id Contents
+182845 Unchecked 151957 6 171992 2 Checked .\$Recycle.Bin\S-1-5-21-3757327896-2532397730-150904874-1001 $IHVBCBC.exe .exe Unchecked Unchecked Unchecked 98 2026-06-12 12:35:56 2026-06-12 12:35:56 2026-06-12 12:35:56 2026-06-23 12:55:21 2026-06-12 12:35:56 [..]
+```
+

_image source: `ntfs.com`_
@@ -159,7 +168,51 @@ NTFS supports multiple data streams:
- a stream name identifies a new data attribute on the file
- a handle can be opened to each data stream
-Example: `file.dat:stream2`
+``` powershell
+# we create a file and check its content and size
+PS C:\Users\test1> echo "totallynormalbytes" > normal.txt
+PS C:\Users\test1> cat .\normal.txt
+totallynormalbytes
+PS C:\Users\test1> ls .\normal.txt
+ Directory: C:\Users\test1
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+-a---- 6/24/2026 9:52 AM 42 normal.txt
+# we create an alternate data stream and check the content and size
+# they are the same as before, the ads isn't accounted for
+PS C:\Users\test1> Set-Content .\normal.txt -Stream secretstream -Value "badbytes"
+PS C:\Users\test1> cat .\normal.txt
+totallynormalbytes
+PS C:\Users\test1> ls .\normal.txt
+ Directory: C:\Users\test1
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+-a---- 6/24/2026 9:52 AM 42 normal.txt
+# we can access the ads directly
+PS C:\Users\test1> cat .\normal.txt:secretstream
+badbytes
+# or by listing all streams
+PS C:\Users\test1> Get-Item .\normal.txt -Stream *
+PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\test1\normal.txt::$DATA
+PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\test1
+PSChildName : normal.txt::$DATA
+PSDrive : C
+PSProvider : Microsoft.PowerShell.Core\FileSystem
+PSIsContainer : False
+FileName : C:\Users\test1\normal.txt
+Stream : :$DATA
+Length : 42
+
+PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\test1\normal.txt:secretstream
+PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\test1
+PSChildName : normal.txt:secretstream
+PSDrive : C
+PSProvider : Microsoft.PowerShell.Core\FileSystem
+PSIsContainer : False
+FileName : C:\Users\test1\normal.txt
+Stream : secretstream
+Length : 10
+```
Attackers commonly abuse Alternate Data Streams to [hide artifacts](https://attack.mitre.org/techniques/T1564/004/), like data or payloads, in file metadata instead of file data.
@@ -218,7 +271,7 @@ Extracts the contents of a file by inode number.

-Used together, `fls` identifies deleted files by inode, `istat` confirms the inode is still allocated on disk, and `icat` recovers the contents.
+Used together, `fls` identifies files by inode, `istat` confirms the inode is still allocated on disk, and `icat` shows the contents.
## File carving
@@ -271,13 +324,15 @@ If an attacker uses a timestomping tool, they modify $STANDARD_INFORMATION only,
## Drills
-### Challenge 1
+### snack
-Description
+We recovered a small block of disk.
+What's it hiding?
-### Challenge 2
+### time-is-relative
-Description
+It seems this threat actor tried to blend in with the file system.
+But what what the real file creation time?
### Challenge 3
From d0cd4d9a28aa1e4ee39e63314455d3787e235c6b Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Thu, 25 Jun 2026 13:20:27 +0300
Subject: [PATCH 04/16] Update solution.md
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../drills/time-is-relative/solution/solution.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md
index c5e5359..e4b71f5 100644
--- a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md
@@ -5,7 +5,7 @@
> .\kape.exe --msource "targets\" --mdest "modules\" --module !EZParser
# in modules/FileSystem we find the $MFT file
# we open it in Timeline Explorer and filter for .py files
-# there are only 2 timestomped files with a Created0x30 field
+# there are only two files with a Created0x30 field
Line Tag Entry Number Sequence Number Parent Entry Number Parent Sequence Number In Use Parent Path File Name Extension Is Directory Has Ads Is Ads File Size Created0x10 Created0x30 Last Modified0x10 Last Modified0x30 Last Record Change0x10 Last Record Change0x30 Last Access0x10 Last Access0x30 Zone Id Contents Reparse Target Reference Count SI
Date: Thu, 25 Jun 2026 13:23:30 +0300
Subject: [PATCH 05/16] Update README.md lesson 3
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../03-file-systems/drills/time-is-relative/README.md | 2 +-
.../03-file-systems/reading/README.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md
index 9724bbd..976bc42 100644
--- a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md
@@ -1,7 +1,7 @@
# time-is-relative
-It seems this threat actor tried to blend in with the file system.
+It seems this threat actor tried to cleanup his tracks.
But what what the real file creation time?
Artifacts:
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md b/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md
index de8c9e8..a36e366 100644
--- a/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md
@@ -331,7 +331,7 @@ What's it hiding?
### time-is-relative
-It seems this threat actor tried to blend in with the file system.
+It seems this threat actor tried to cleanup his tracks.
But what what the real file creation time?
### Challenge 3
From addb90bd615faab78fc81bebe52054e7f5f328b1 Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Thu, 25 Jun 2026 15:07:12 +0300
Subject: [PATCH 06/16] Add challs lesson 3
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../drills/time-is-relative/README.md | 12 +++++-------
.../drills/time-is-relative/solution/solution.md | 9 ++++-----
.../03-file-systems/drills/unc/README.md | 14 ++++++++++++++
.../drills/unc/solution/solution.md | 13 +++++++++++++
.../03-file-systems/reading/README.md | 10 +++++++---
5 files changed, 43 insertions(+), 15 deletions(-)
create mode 100644 chapters/digital-forensics-fundamentals/03-file-systems/drills/unc/README.md
create mode 100644 chapters/digital-forensics-fundamentals/03-file-systems/drills/unc/solution/solution.md
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md
index 976bc42..a365aa6 100644
--- a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md
@@ -1,16 +1,14 @@
# time-is-relative
-It seems this threat actor tried to cleanup his tracks.
+It seems this threat actor dropped something new, trying to blend in with the system.
But what what the real file creation time?
-Artifacts:
-`targets.zip`
+The flag format is SSS{yyyy-MM-dd-hh:mm:ss}
-Hint 1:
-there is a master timekeeper you are seeking.
+Artifacts:
+`time-is-relative.zip`
-Hint 2:
-watch out for snakes.
+Hint 1: it's a totally new payload.
Solution in `../solution/`
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md
index e4b71f5..872b34b 100644
--- a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md
@@ -4,11 +4,10 @@
# use KAPE to run modules against the targets
> .\kape.exe --msource "targets\" --mdest "modules\" --module !EZParser
# in modules/FileSystem we find the $MFT file
-# we open it in Timeline Explorer and filter for .py files
-# there are only two files with a Created0x30 field
+# we open it in Timeline Explorer and filter for .exe files
+# we find a payload.exe with a different Created0x30 field
Line Tag Entry Number Sequence Number Parent Entry Number Parent Sequence Number In Use Parent Path File Name Extension Is Directory Has Ads Is Ads File Size Created0x10 Created0x30 Last Modified0x10 Last Modified0x30 Last Record Change0x10 Last Record Change0x30 Last Access0x10 Last Access0x30 Zone Id Contents Reparse Target Reference Count SI
Date: Thu, 25 Jun 2026 15:22:20 +0300
Subject: [PATCH 07/16] Update chall lesson 3
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../03-file-systems/drills/snack/README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/drills/snack/README.md b/chapters/digital-forensics-fundamentals/03-file-systems/drills/snack/README.md
index b1345f6..b7511ef 100644
--- a/chapters/digital-forensics-fundamentals/03-file-systems/drills/snack/README.md
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/drills/snack/README.md
@@ -1,7 +1,8 @@
# snack
-We recovered a small block of disk. What's it hiding?
+We recovered a small block of disk.
+What's it hiding?
Artifacts:
`snack.bin`
From 68f5532021c9c3aa58d20e4a4af3dd95876f2c7c Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Thu, 25 Jun 2026 15:46:03 +0300
Subject: [PATCH 08/16] Fix typo
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../03-file-systems/drills/time-is-relative/README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md
index a365aa6..8ee3a84 100644
--- a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/README.md
@@ -2,7 +2,7 @@
# time-is-relative
It seems this threat actor dropped something new, trying to blend in with the system.
-But what what the real file creation time?
+But what is the real file creation time?
The flag format is SSS{yyyy-MM-dd-hh:mm:ss}
From a799c3efd43d20f669b6992c93a4774bbc8b01b7 Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Thu, 25 Jun 2026 15:52:23 +0300
Subject: [PATCH 09/16] Fix typo
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../drills/time-is-relative/solution/solution.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md
index 872b34b..9ccec04 100644
--- a/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/drills/time-is-relative/solution/solution.md
@@ -9,5 +9,5 @@
Line Tag Entry Number Sequence Number Parent Entry Number Parent Sequence Number In Use Parent Path File Name Extension Is Directory Has Ads Is Ads File Size Created0x10 Created0x30 Last Modified0x10 Last Modified0x30 Last Record Change0x10 Last Record Change0x30 Last Access0x10 Last Access0x30 Zone Id Contents Reparse Target Reference Count SI
Date: Thu, 25 Jun 2026 20:14:40 +0300
Subject: [PATCH 10/16] Add chall lesson 3
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../03-file-systems/drills/gone-not-gone/README.md | 11 +++++++++++
.../drills/gone-not-gone/solution/solution.md | 7 +++++++
.../03-file-systems/reading/README.md | 6 ++++++
3 files changed, 24 insertions(+)
create mode 100644 chapters/digital-forensics-fundamentals/03-file-systems/drills/gone-not-gone/README.md
create mode 100644 chapters/digital-forensics-fundamentals/03-file-systems/drills/gone-not-gone/solution/solution.md
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/drills/gone-not-gone/README.md b/chapters/digital-forensics-fundamentals/03-file-systems/drills/gone-not-gone/README.md
new file mode 100644
index 0000000..e60dc3a
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/drills/gone-not-gone/README.md
@@ -0,0 +1,11 @@
+
+# gone-not-gone
+
+An analyst swears they deleted the incriminating file before we imaged the disk.
+The directory entry is gone, but the disk doesn't forget that easily.
+Recover what was deleted.
+
+Artifacts:
+`evidence.img`
+
+Solution in `../solution/`
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/drills/gone-not-gone/solution/solution.md b/chapters/digital-forensics-fundamentals/03-file-systems/drills/gone-not-gone/solution/solution.md
new file mode 100644
index 0000000..2c1e44b
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/drills/gone-not-gone/solution/solution.md
@@ -0,0 +1,7 @@
+# Solution
+
+``` bash
+# we run strings against the artifact to recover the flag
+$ strings evidence.img | grep SSS
+SSS{d3l3t3d_but_n0t_g0ne_inod3_l1v3s}
+```
diff --git a/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md b/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md
index 883c6cb..2ae74d5 100644
--- a/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md
+++ b/chapters/digital-forensics-fundamentals/03-file-systems/reading/README.md
@@ -324,6 +324,12 @@ If an attacker uses a timestomping tool, they modify $STANDARD_INFORMATION only,
## Drills
+### gone-not-gone
+
+An analyst swears they deleted the incriminating file before we imaged the disk.
+The directory entry is gone, but the disk doesn't forget that easily.
+Recover what was deleted.
+
### snack
We recovered a small block of disk.
From 710fd9feeeedd5550c67318e8562a65ffab819f4 Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Tue, 30 Jun 2026 13:44:58 +0300
Subject: [PATCH 11/16] Remove draft chall lesson 4
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../04-disk-analysis/drills/README.md | 22 -------------------
.../drills/hello-world/solution/.gitignore | 1 -
.../drills/hello-world/solution/Makefile | 19 ----------------
.../drills/hello-world/solution/hello-world.c | 16 --------------
.../drills/hello-world/solution/utils | 1 -
.../drills/hello-world/support/.gitignore | 1 -
.../drills/hello-world/support/Makefile | 1 -
.../drills/hello-world/support/hello-world.c | 15 -------------
.../drills/hello-world/support/utils | 1 -
.../04-disk-analysis/drills/questions.md | 20 -----------------
10 files changed, 97 deletions(-)
delete mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/README.md
delete mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/.gitignore
delete mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/Makefile
delete mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/hello-world.c
delete mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/utils
delete mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/.gitignore
delete mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/Makefile
delete mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/hello-world.c
delete mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/utils
delete mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/questions.md
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/README.md b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/README.md
deleted file mode 100644
index e8668e7..0000000
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/README.md
+++ /dev/null
@@ -1,22 +0,0 @@
-# Practice: Baby Steps
-
-We recommend that for practice, you add a subsection for the exercises.
-This will make it so you can delimit the exercises from the lab's text.
-
-1. You can number the exercises as such.
- And have the text roll over to the next line.
-
-1. This is a second numbered exercise.
-
- **Be careful!**
- You can even link to other chapters internally [like this](questions.md)
-
- Another neat feature is that you can add inline code that uses language specific highlight.
-
- ```Python
- with event:
- while len(messages) == 0:
- event.wait()
- ```
-
- For now, a quiz can only be linked to as such: [Quiz 1](questions.md)
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/.gitignore b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/.gitignore
deleted file mode 100644
index 51dee45..0000000
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/hello-world
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/Makefile b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/Makefile
deleted file mode 100644
index b4bf235..0000000
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
-CFLAGS = -Wall -Wextra
-CPPFLAGS = -I utils/ -I utils/log/
-
-EXEC = hello-world
-OBJ = $(patsubst %,%.o,$(EXEC))
-SRC = $(patsubst %,%.c,$(EXEC))
-
-all: $(EXEC)
-
-$(EXEC): $(OBJ) utils/log/log.o
-
-$(OBJ): $(SRC)
-
-utils/log/log.o: utils/log/log.c
-
-clean::
- -rm -f $(OBJ) utils/log/log.o
- -rm -f $(EXEC)
- -rm -f *~
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/hello-world.c b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/hello-world.c
deleted file mode 100644
index 716a0b1..0000000
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/hello-world.c
+++ /dev/null
@@ -1,16 +0,0 @@
-#include
-#include
-#include
-#include
-
-#include "utils.h"
-
-int main(void)
-{
- /**
- * TODO 1: Print a hello world message
- */
- printf("Hello world\n");
-
- return 0;
-}
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/utils b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/utils
deleted file mode 100644
index 3424f3f..0000000
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/solution/utils
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../common/utils/
\ No newline at end of file
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/.gitignore b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/.gitignore
deleted file mode 100644
index 51dee45..0000000
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/hello-world
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/Makefile b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/Makefile
deleted file mode 100644
index 10c4f5d..0000000
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/Makefile
+++ /dev/null
@@ -1 +0,0 @@
-../solution/Makefile
\ No newline at end of file
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/hello-world.c b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/hello-world.c
deleted file mode 100644
index c890e18..0000000
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/hello-world.c
+++ /dev/null
@@ -1,15 +0,0 @@
-#include
-#include
-#include
-#include
-
-#include "utils.h"
-
-int main(void)
-{
- /**
- * TODO 1: Print a hello world message
- */
-
- return 0;
-}
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/utils b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/utils
deleted file mode 100644
index 3424f3f..0000000
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/hello-world/support/utils
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../common/utils/
\ No newline at end of file
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/questions.md b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/questions.md
deleted file mode 100644
index d0639df..0000000
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/questions.md
+++ /dev/null
@@ -1,20 +0,0 @@
-# TODO question
-
-## Question Text
-
-Which answer is the correct answer?
-
-## Question Answers
-
-- Bad answer 1
-+ Correct answer
-- Bad answer 2
-- Bad answer 3
-
-## Feedback
-
-Correct answer is the correct answer
-
-```console
-echo "Guess why"
-```
From 7b21b23240d00d200e2761a549fb3963202d6cfd Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Tue, 30 Jun 2026 15:20:11 +0300
Subject: [PATCH 12/16] Update README.md lesson 4
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../04-disk-analysis/reading/README.md | 97 +++++++++----------
1 file changed, 47 insertions(+), 50 deletions(-)
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/reading/README.md b/chapters/digital-forensics-fundamentals/04-disk-analysis/reading/README.md
index d38a600..38b056a 100644
--- a/chapters/digital-forensics-fundamentals/04-disk-analysis/reading/README.md
+++ b/chapters/digital-forensics-fundamentals/04-disk-analysis/reading/README.md
@@ -1,7 +1,7 @@
# Disk Analysis
After data has been extracted and measures taken to maintain integrity, we focus on initial event analysis.
-Early triage can offer indication of the type of incident investigated (ransomware, insider threat, cryptojacking, etc), based on which we look for obvious IoCs.
+Early triage can offer indication of the type of incident investigated (ransomware, insider threat, etc), based on which we look for obvious IoCs.
At this stage:
@@ -182,32 +182,7 @@ $ journalctl --directory uac/\[root\]/var/log/journal/ --utc _UID=0 -o verbose
### Evidence of past file presence
-```
-# fls -d shows deleted entries still recorded
-# -r recursive, -d deleted
-# image.dd is a full disk image, so we have to find the partition layout and pass the partition offset to TSK tools
-$ mmls image.dd
-[..]
-GUID Partition Table (EFI)
-Offset Sector: 0
-Units are in 512-byte sectors
- Slot Start End Length Description
-000: Meta 0000000000 0000000000 0000000001 Safety Table
-001: ------- 0000000000 0000002047 0000002048 Unallocated
-002: Meta 0000000001 0000000001 0000000001 GPT Header
-003: Meta 0000000002 0000000033 0000000032 Partition Table
-004: 000 0000002048 0000004095 0000002048
-005: 001 0000004096 0041940991 0041936896
-006: ------- 0041940992 0041943039 0000002048 Unallocated
-$ fls -r -d -o 4096 image.dd
-r/r * 662713(realloc): tmp/.hidden/notmalware.sh
-r/r * 662782(realloc): home/sss/notmalware
-[..]
-
-# icat recovers content by inode number
-# only works if the data blocks have not been overwritten
-$ icat image.dd 662782 > recovered_notmalware
-
+``` bash
# dpkg.log shows package manager logs with timestamps
# look for packages used for post exploitation that may have been installed and removed
$ grep 'install\|remove' uac/\[root\]/var/log/dpkg.log
@@ -230,12 +205,11 @@ End-Date: 2026-06-11 17:42:31
- format varies widely (starts with timestamp, hostname, process name, pid, and the rest is left to the developers)
- collected by UAC with the ir_triage profile
-```
+``` bash
# syslog is the primary logging service
# we filter for kernel module load events
# we look for modules loaded outside of package management or at unusual times
-$ grep -i 'module\|insmod\|modprobe' /var/log/syslog
-### TODO ADD DIAMORPHINE
+$ grep -iE 'module|insmod|modprobe' /var/log/syslog
# check user logins and system reboots from wtmp
# also btmp records failed logins, but it is not enabled by default
@@ -245,12 +219,6 @@ sss pts/0 fe80::a60a:b442: Tue Jun 9 16:47 - 19:36 (02:49)
reboot system boot 0.0.0.0 Tue Jun 9 15:43 still running
[..]
-# check last login per user from lastlog
-$ last -if uac/\[root\]/var/log/lastlog
-Username Port From Latest
-root pts/1 192.168.1.15 Tue Jun 10 16:55:02 +0000 2026
-sss pts/0 fe80::a60a:b442:fc61:8a15%ens33 Thu Jun 11 20:33:24 +0300 2026
-
# check web server logs
# they often show initial access
$ grep -v ' 200 \| 400 ' uac/\[root\]/var/log/apache2/access.log | head
@@ -413,7 +381,7 @@ We parse prefetch files with `PECmd.exe` and output to csv.
We analyze the 2 csv outputs with Timeline Explorer from EZ Tools.
-```
+``` powershell
# timeline, one row per run time
Run Time Executable Name
2026-06-08 07:46:33 \VOLUME{01da3ed381705ea1-ca817eba}\USERS\TEST1\DOWNLOADS\ANYDESK.EXE
@@ -651,11 +619,6 @@ The USN Journal `Extend$UsnJrnl:J` is a change log with every create, delete, re
It fills the gaps the `$MFT` leaves, which shows the current state of a file, while the USN Journal shows the sequence of changes.
Parsed with `MFTECmd.exe`, pointed at the $J stream.
-**Windows Search Index**
-
-The Windows Search Index (`Windows.edb`, an ESE database) stores filenames, properties and sometimes content.
-It can show evidence of deleted files and requires an ESE database parser, like [sidr](https://github.com/strozfriedberg/sidr).
-
**System Resource Usage Monitor**
SRUM (`C:\Windows\System32\sru\SRUDB.dat`, also ESE) stores per application resource usage, including bytes sent and received, cpu time, and the user that ran it.
@@ -720,24 +683,58 @@ Note it can be slow, some artifact formats may not be parsed. For in depth work,
## Drills
-### Challenge 1
+### weak-on-figs
+
+What initial backdoor did the adversary plant on the beachhead user?
+
+The flag format is `SSS{/full/path/to/file}`
+
+### deuces
+
+What file does the adversary consistently delete to cleanup her tracks?
+
+The flag format is `SSS{/full/path/to/file}`
+
+### regulars
+
+Some more questions arise from the same set of given artifacts, see if you can find evidence to answer them all.
+
+1. What executable did the attacker run to establish persistence?
+
+The flag format is `SSS{full/path/to/executable}`
+
+2. What was the full cmdline they used?
+
+The flag format is `SSS{full -cmdline here}`
+
+3. What secondary persistence is established by the backdoor user?
+
+The flag format is `SSS{/full/path/to/executable}`
+
+4. What time was the secondary persistence planted by the backdoor user?
+
+The flag format is `SSS{yyyy-MM-dd-hh:mm:ss}`
+
+5. What is the first backdoor user the attacker logged in with and what shell does it use?
-Description
+The flag format is `SSS{/home/fullusername:/full/path/to/this/user's/shell/}`
-### Challenge 2
+6. What time did the attacker first log in as the backdoor user?
-Description
+The flag format is `SSS{yyyy-MM-dd-hh:mm}`
-### Challenge 3
+7. What other users did the attacker try to login with?
-Description
+The flag format is `SSS{fullusername}`
## Further reading
+[+] [Body file](https://wiki.sleuthkit.org/Body-file/)
+[+] [Body file more detailed](https://forensics.wiki/body_file/)
+[+] [Body file with stat and find](https://trustedsec.com/blog/incident-response-bring-out-the-body-file)
[+] [Windows Registry Forensics](https://www.cybertriage.com/blog/windows-registry-forensics-cheat-sheet-2025/)
[+] [Windows Event IDs](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/)
-[+] [Body file](https://wiki.sleuthkit.org/index.php?title=Body_file)
-[+] [AmCache](https://www.thedfirspot.com/post/evidence-of-program-existence-amcache)
+[+] [AmCache](https://www.thedfirspot.com/post/evidence-of-program-existence-amcache)
[+] [$LogFile](https://forensafe.com/blogs/windowslogfile.html)
[+] [Forensic Timelines](https://www.thedfirspot.com/post/from-chaos-to-chronology-the-power-of-forensic-timelines)
[+] [You don't know jack about bash history](https://www.youtube.com/watch?v=wv1xqOV2RyE)
From f5a6764d83fb2c58a967dfe9029cd071a251bbde Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Wed, 1 Jul 2026 11:34:19 +0300
Subject: [PATCH 13/16] Add challs lesson 4
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../04-disk-analysis/drills/deuces/README.md | 17 ++++
.../drills/deuces/solution/solution.md | 12 +++
.../drills/regulars/README.md | 67 ++++++++++++++
.../drills/regulars/solution/solution.md | 89 +++++++++++++++++++
.../drills/weak-on-figs/README.md | 17 ++++
.../drills/weak-on-figs/solution/solution.md | 10 +++
6 files changed, 212 insertions(+)
create mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/deuces/README.md
create mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/deuces/solution/solution.md
create mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/regulars/README.md
create mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/regulars/solution/solution.md
create mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/weak-on-figs/README.md
create mode 100644 chapters/digital-forensics-fundamentals/04-disk-analysis/drills/weak-on-figs/solution/solution.md
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/deuces/README.md b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/deuces/README.md
new file mode 100644
index 0000000..5467119
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/deuces/README.md
@@ -0,0 +1,17 @@
+
+# deuces
+
+What file does the adversary consistently delete to cleanup her tracks?
+
+The flag format is `SSS{/full/path/to/file}`
+
+Artifacts:
+`uac.tar.gz`
+
+Hint 1:
+what config did the attacker edit?
+
+Hint 2:
+how does a user run commands when logging out?
+
+Solution in `../solution/`
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/deuces/solution/solution.md b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/deuces/solution/solution.md
new file mode 100644
index 0000000..e68987c
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/deuces/solution/solution.md
@@ -0,0 +1,12 @@
+# Solution
+
+``` bash
+# we check the .bash_logout and find a weird addition
+$ cat \[root\]/home/ritabeakerlab/.bash_logout
+[..]
+# app cleanup routine executed at each logout
+rm -rf /tmp/khsolutions-app-cache-$USER
+[..]
+# we reconstruct the flag
+SSS{/tmp/khsolutions-app-cache-$USER}
+```
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/regulars/README.md b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/regulars/README.md
new file mode 100644
index 0000000..4fc5f30
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/regulars/README.md
@@ -0,0 +1,67 @@
+
+# regulars
+
+Some more questions arise from the same set of given artifacts, see if you can find evidence to answer them all.
+
+Artifacts:
+`uac.tar.gz`
+
+1. What executable did the attacker run to establish persistence?
+
+The flag format is `SSS{full/path/to/executable}`
+
+2. What was the full cmdline they used?
+
+The flag format is `SSS{full -cmdline here}`
+
+3. What secondary persistence is established by the backdoor user?
+
+The flag format is `SSS{/full/path/to/executable}`
+
+4. What time was the secondary persistence planted by the backdoor user?
+
+The flag format is `SSS{yyyy-MM-dd-hh:mm:ss}`
+
+5. What is the first backdoor user the attacker logged in with and what shell does it use?
+
+The flag format is `SSS{/home/fullusername:/full/path/to/this/user's/shell/}`
+
+6. What time did the attacker first log in as the backdoor user?
+
+The flag format is `SSS{yyyy-MM-dd-hh:mm}`
+
+7. What other user did the attacker try to login with?
+
+The flag format is `SSS{fullusername}`
+
+Artifacts:
+`uac.tar.gz`
+
+Hint 1:
+you're probably seeking the command line.
+
+Hint 2:
+what logs show the `CMDLINE` or `COMMAND` executed?
+
+Hint 3-1:
+what config did the attacker edit?
+
+Hint 3-2:
+how does a user `run commands`?
+
+Hint 4:
+what artifacts show us the timestamps on ext4?
+
+Hint 5-1:
+what log file shows us successful logins?
+
+Hint 5-2:
+what file shows user's shells?
+
+Hint 6:
+what log file shows us successful logins?
+
+Hint 7:
+what log file shows us failed logins?
+
+Solution in `../solution/`
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/regulars/solution/solution.md b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/regulars/solution/solution.md
new file mode 100644
index 0000000..9f948ae
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/regulars/solution/solution.md
@@ -0,0 +1,89 @@
+# Solution
+
+``` bash
+# we check the systemd journal
+$ journalctl --directory \[root\]/var/log/journal/ --utc _UID=0 -o verbose
+[..]
+Mon 2026-06-29 15:42:58.765736 UTC [s=9fbac86c19a74229aca807b62895db81;i=24a92;b=8286180fa28b44ce9720>
+ PRIORITY=6
+ _UID=0
+ _GID=0
+[..]
+ SYSLOG_IDENTIFIER=useradd
+ _COMM=useradd
+ SYSLOG_PID=3616
+ SYSLOG_TIMESTAMP=Jun 29 18:42:58
+ MESSAGE=new user: name=avahi-d, UID=0, GID=0, home=/home/avahi-d, shell=/bin/sh, from=/dev/pts/2
+ _PID=3616
+ _EXE=/usr/sbin/useradd
+ _CMDLINE=useradd -o -u 0 -g 0 -m avahi-d
+ _SOURCE_REALTIME_TIMESTAMP=1782747778765736
+# or we check the auth.log
+$ cat \[root\]/var/log/auth.log
+[..]
+Jun 29 12:03:58 ritabeakerlab sudo: ritabeakerlab : TTY=pts/0 ; PWD=/home/ritabeakerlab ; USER=root ; COMMAND=/usr/sbin/useradd -o -u 0 -g 0 -m avahi-d
+# we reconstruct the flag
+SSS{/usr/sbin/useradd}
+```
+
+``` bash
+# we check the systemd journal
+$ journalctl --directory \[root\]/var/log/journal/ --utc _UID=0 -o verbose | grep _CMDLINE
+# we reconstruct the flag
+SSS{useradd -o -u 0 -g 0 -m avahi-d}
+```
+
+``` bash
+# we check the bashrc for the backdoor user and find a weird addition
+$ cat \[root\]/home/avahi-d/.bashrc
+[..]
+# avahi-daemon config
+(/var/log/avahi/.d/run.sh >/dev/null 2>&1 &)
+SSS{/var/log/avahi/.d/run.sh}
+```
+
+``` bash
+# we see timestamp for the backdoor user .bashrc in the bodyfile
+Line Tag Timestamp macb Meta File Name File Size
+2409141 Unchecked 2026-06-29 16:14:58 m.cb 2248618 /home/avahi-d/.bashrc 3837
+# we reconstruct the flag
+SSS{2026-06-29-16:14:58}
+```
+
+``` bash
+# we check who logged in
+$ last -if \[root\]/var/log/wtmp
+# the only user besides our beachhead user is avahi-d
+avahi-d pts/0 fe80::2eb0:ae7b: Mon Jun 29 16:15 - 16:19 (00:03)
+avahi-d pts/0 fe80::2eb0:ae7b: Mon Jun 29 16:10 - 16:15 (00:04)
+avahi-d pts/0 fe80::2eb0:ae7b: Mon Jun 29 16:06 - 16:10 (00:03)
+# we check what shell they use
+# we notice they also use the root uid and gid 0
+$ cat /etc/passwd
+[..]
+sys-gnd:x:1001:1001:,,,:/home/sys-gnd:/bin/bash
+xfcenv:x:1002:1002:,,,:/home/xfcenv:/bin/bash
+admin:x:1003:1003:,,,:/home/admin:/bin/bash
+avahi-d:x:0:0::/home/avahi-d:/bin/sh
+# we reconstruct the flag
+SSS{/home/avahi-d:/bin/sh}
+```
+
+``` bash
+# we check who logged in and see the timestamps
+$ last -if \[root\]/var/log/wtmp
+avahi-d pts/0 fe80::2eb0:ae7b: Mon Jun 29 16:15 - 16:19 (00:03)
+avahi-d pts/0 fe80::2eb0:ae7b: Mon Jun 29 16:10 - 16:15 (00:04)
+avahi-d pts/0 fe80::2eb0:ae7b: Mon Jun 29 16:06 - 16:10 (00:03)
+# we reconstruct the flag
+SSS{2026-06-29-16:06}
+```
+
+``` bash
+# we check the btmp log
+$ last -if \[root\]/var/log/btmp
+hp ssh:notty fe80::2eb0:ae7b: Mon Jun 29 14:32 gone - no logout
+hp ssh:notty fe80::2eb0:ae7b: Mon Jun 29 14:32 - 14:32 (00:00)
+# we reconstruct the flag
+SSS{hp}
+```
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/weak-on-figs/README.md b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/weak-on-figs/README.md
new file mode 100644
index 0000000..2accae8
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/weak-on-figs/README.md
@@ -0,0 +1,17 @@
+
+# weak-on-figs
+
+What initial backdoor did the adversary plant on the beachhead user?
+
+The flag format is `SSS{/full/path/to/file}`
+
+Artifacts:
+`uac.tar.gz`
+
+Hint 1:
+what config did the attacker edit?
+
+Hint 2:
+how does a user run commands?
+
+Solution in `../solution/`
diff --git a/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/weak-on-figs/solution/solution.md b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/weak-on-figs/solution/solution.md
new file mode 100644
index 0000000..ad6d423
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/04-disk-analysis/drills/weak-on-figs/solution/solution.md
@@ -0,0 +1,10 @@
+# Solution
+
+```bash
+# we check the bashrc config and find an odd addition:
+$ cat \[root\]/home/ritabeakerlab/.bashrc
+# do not delete # admin #
+(/tmp/.sysadmin/debian_chroot/sysrun.sh >/dev/null &)
+# we reconstruct the flag with the full name of the file
+Flag SSS{/tmp/.sysadmin/debian_chroot/sysrun.sh}
+```
From cb3efbd1f875b9f0e4681c2b3a28c2dfb00757ca Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Thu, 2 Jul 2026 13:19:27 +0300
Subject: [PATCH 14/16] Remove draft chall lesson 5
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../05-memory-analysis/drills/README.md | 22 -------------------
.../drills/hello-world/solution/.gitignore | 1 -
.../drills/hello-world/solution/Makefile | 19 ----------------
.../drills/hello-world/solution/hello-world.c | 16 --------------
.../drills/hello-world/solution/utils | 1 -
.../drills/hello-world/support/.gitignore | 1 -
.../drills/hello-world/support/Makefile | 1 -
.../drills/hello-world/support/hello-world.c | 15 -------------
.../drills/hello-world/support/utils | 1 -
.../05-memory-analysis/drills/questions.md | 20 -----------------
10 files changed, 97 deletions(-)
delete mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/README.md
delete mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/.gitignore
delete mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/Makefile
delete mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/hello-world.c
delete mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/utils
delete mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/.gitignore
delete mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/Makefile
delete mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/hello-world.c
delete mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/utils
delete mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/questions.md
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/README.md b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/README.md
deleted file mode 100644
index e8668e7..0000000
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/README.md
+++ /dev/null
@@ -1,22 +0,0 @@
-# Practice: Baby Steps
-
-We recommend that for practice, you add a subsection for the exercises.
-This will make it so you can delimit the exercises from the lab's text.
-
-1. You can number the exercises as such.
- And have the text roll over to the next line.
-
-1. This is a second numbered exercise.
-
- **Be careful!**
- You can even link to other chapters internally [like this](questions.md)
-
- Another neat feature is that you can add inline code that uses language specific highlight.
-
- ```Python
- with event:
- while len(messages) == 0:
- event.wait()
- ```
-
- For now, a quiz can only be linked to as such: [Quiz 1](questions.md)
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/.gitignore b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/.gitignore
deleted file mode 100644
index 51dee45..0000000
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/hello-world
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/Makefile b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/Makefile
deleted file mode 100644
index b4bf235..0000000
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
-CFLAGS = -Wall -Wextra
-CPPFLAGS = -I utils/ -I utils/log/
-
-EXEC = hello-world
-OBJ = $(patsubst %,%.o,$(EXEC))
-SRC = $(patsubst %,%.c,$(EXEC))
-
-all: $(EXEC)
-
-$(EXEC): $(OBJ) utils/log/log.o
-
-$(OBJ): $(SRC)
-
-utils/log/log.o: utils/log/log.c
-
-clean::
- -rm -f $(OBJ) utils/log/log.o
- -rm -f $(EXEC)
- -rm -f *~
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/hello-world.c b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/hello-world.c
deleted file mode 100644
index 716a0b1..0000000
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/hello-world.c
+++ /dev/null
@@ -1,16 +0,0 @@
-#include
-#include
-#include
-#include
-
-#include "utils.h"
-
-int main(void)
-{
- /**
- * TODO 1: Print a hello world message
- */
- printf("Hello world\n");
-
- return 0;
-}
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/utils b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/utils
deleted file mode 100644
index 3424f3f..0000000
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/solution/utils
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../common/utils/
\ No newline at end of file
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/.gitignore b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/.gitignore
deleted file mode 100644
index 51dee45..0000000
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/hello-world
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/Makefile b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/Makefile
deleted file mode 100644
index 10c4f5d..0000000
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/Makefile
+++ /dev/null
@@ -1 +0,0 @@
-../solution/Makefile
\ No newline at end of file
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/hello-world.c b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/hello-world.c
deleted file mode 100644
index c890e18..0000000
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/hello-world.c
+++ /dev/null
@@ -1,15 +0,0 @@
-#include
-#include
-#include
-#include
-
-#include "utils.h"
-
-int main(void)
-{
- /**
- * TODO 1: Print a hello world message
- */
-
- return 0;
-}
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/utils b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/utils
deleted file mode 100644
index 3424f3f..0000000
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/hello-world/support/utils
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../common/utils/
\ No newline at end of file
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/questions.md b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/questions.md
deleted file mode 100644
index d0639df..0000000
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/questions.md
+++ /dev/null
@@ -1,20 +0,0 @@
-# TODO question
-
-## Question Text
-
-Which answer is the correct answer?
-
-## Question Answers
-
-- Bad answer 1
-+ Correct answer
-- Bad answer 2
-- Bad answer 3
-
-## Feedback
-
-Correct answer is the correct answer
-
-```console
-echo "Guess why"
-```
From 5082b134ccde15562ec0ab384b66399ff7b4f3dc Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Fri, 3 Jul 2026 13:06:23 +0300
Subject: [PATCH 15/16] Update README.md lesson 5
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../05-memory-analysis/reading/README.md | 185 +++++++++++-------
1 file changed, 110 insertions(+), 75 deletions(-)
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/reading/README.md b/chapters/digital-forensics-fundamentals/05-memory-analysis/reading/README.md
index d5b7dcb..a102ef1 100644
--- a/chapters/digital-forensics-fundamentals/05-memory-analysis/reading/README.md
+++ b/chapters/digital-forensics-fundamentals/05-memory-analysis/reading/README.md
@@ -3,8 +3,6 @@
A wealth of evidence resides in the random access memory (RAM) of the analyzed system, which can be used to correlate with other evidence, such as network or disk activity.
When the system is shutdown, the memory data is lost.
-The memory image used in this class: [TODO](TODO)
-
The main focus of memory analysis is finding malicious processes or executables to extract and examine further.
## Prerequisites
@@ -78,70 +76,106 @@ We will use Volatility3, and resort to Volatility2 only in case of missing funct
### General information
-`python3 vol.py -f memory.dmp windows.info` # display memory image information
-
-`python3 vol.py -f unix.dmp banners` # attempt to identify unix kernel version details
-
-- to analyze a Linux or macOS RAM capture with Volatility3 you must to use appropriate kernel debugging information
-- collection of [symbol](https://github.com/Abyss-W4tcher/volatility3-symbols) tables
-- if you cannot find an appropriate symbol table for your kernel version, you can also [create one](https://volatility3.readthedocs.io/en/latest/symbol-tables.html#mac-or-linux-symbol-tables) manually
-
-### Process information
-
-`python3 vol.py -f memory.dmp windows.psscan` # list all processes
-
-`python3 vol.py -f unix.dmp linux.pslist.PsList` # list all processes
-
-`python3 vol.py -f memory.dmp windows.pstree` # list process tree
-
-`python3 vol.py -f unix.dmp linux.pstree.PsTree` # list process tree
-
-`python3 vol.py -f unix.dmp linux.psaux.PsAux` # list processes with command-line args
-
-`python3 vol.py -f memory.dmp windows.dlllist --pid 1337` # list dlls loaded by PID
-
-`python3 vol.py -f unix.dmp linux.lsof.Lsof` # list open files per process
-
-`python3 vol.py -f memory.dmp windows.memmap` # list all memory mapped regions
-
-`python3 vol.py -f memory.dmp windows.handles --pid 1337` # list handles opened by PID
-
-### Network information
-
-`python3 vol.py -f memory.dmp windows.netscan` # scan for network objects
-
-`python3 vol.py -f unix.dmp linux.netfilter.Netfilter` # inspect netfilter hooks
-
-### Command history
-
-`python3 vol.py -f memory.dmp windows.cmdline` # show command history
-
-`python3 vol.py -f unix.dmp linux.bash.Bash` # show command history
-
-### Malfind
-
-`python3 vol.py -f memory.dmp windows.malfind` # scan for rogue activity
-
-`python3 vol.py -f unix.dmp linux.malfind.Malfind` # scan for suspicious memory regions
-
-### Scan for specific objects
-
-`python3 vol.py -f memory.dmp windows.registry.hivelist` # list registry hives mapped in memory, based on OS structures
-
-`python3 vol.py -f memory.dmp windows.registry.hivescan` # scan raw memory for registry hives
-
-- based on hive signatures
-- can find hives not loaded in OS structures, or corrupted hives
-
-### Extract files
-
-`python3 vol.py -f memory.dmp windows.dumpfiles --pid 1337 -o ~/outputpid1337/` # extract files from process memory
-
-### Memory scan with YARA
-
-`python3 vol.py -f memory.dmp windows.yarascan --yara-file=rule.yar`
-
-`python3 vol.py -f unix.dmp linux.vmayarascan.VmaYaraScan --yara-file=rule.yar`
+``` bash
+# we scan for windows os and image metadata
+$ python3 vol.py -f win.dmp windows.info
+
+# we scan for unix kernel version details
+$ python3 vol.py -f unix.dmp banners
+```
+
+To analyze a Linux or macOS RAM capture with Volatility3 you must to use appropriate kernel debugging information.
+
+We find a collection of [symbol](https://github.com/Abyss-W4tcher/volatility3-symbols) tables.
+
+If you cannot find an appropriate symbol table for your kernel version, you can also [create one](https://volatility3.readthedocs.io/en/latest/symbol-tables.html#mac-or-linux-symbol-tables) manually.
+
+``` bash
+# download the matching debug kernel vmlinux with dwarf
+# example ubuntu
+$ sudo apt install linux-image-6.17.0-35-generic-dbgsym
+# convert with dwarf2json
+$ git clone https://github.com/volatilityfoundation/dwarf2json.git
+$ cd dwarf2json && go build
+$ ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-6.17.0-35-generic > 6.17.0-35-generic.json
+# xz the json and move to volatility symbols directory
+$ xz 6.17.0-35-generic.json
+$ mv 6.17.0-35-generic.json.xz ~/venv/lib/python3.9/site-packages/volatility3/symbols
+```
+
+### Linux
+
+``` bash
+# list all processes linked list
+python3 vol.py -f unix.dmp linux.pslist
+OFFSET (V) PID TID PPID COMM UID GID EUID EGID CREATION TIME File output
+0x898d00a2a9c0 1 1 0 systemd 0 0 0 0 - Disabled
+[..]
+# scan memory for process structures
+python3 vol.py -f unix.dmp linux.psscan
+# show process tree
+python3 vol.py -f unix.dmp linux.pstree
+OFFSET (V) PID TID PPID COMM
+0x898d00a2a9c0 1 1 0 systemd
+* 0x898d061d0000 370 370 1 systemd-journal
+* 0x898d23ce5380 861 861 1 avahi-daemon
+** 0x898d25f28000 919 919 861 avahi-daemon
+[..]
+# show processes with command-line args
+python3 vol.py -f unix.dmp linux.psaux
+PID PPID COMM ARGS
+1 0 systemd /sbin/init splash
+2 0 kthreadd [kthreadd]
+3 2 pool_workqueue_ [pool_workqueue_]
+[..]
+# list open files per process
+python3 vol.py -f unix.dmp linux.lsof
+# inspect network connections
+python3 vol.py -f unix.dmp linux.netscan
+# inspect netfilter hooks
+python3 vol.py -f unix.dmp linux.netfilter
+# show command history
+python3 vol.py -f unix.dmp linux.bash
+# scan for suspicious memory regions
+python3 vol.py -f unix.dmp linux.malfind
+# scan with yara rules
+python3 vol.py -f unix.dmp linux.vmayarascan.VmaYaraScan --yara-file=rule.yar
+```
+
+### Windows
+
+``` bash
+# list all processes linked list
+python3 vol.py -f win.dmp windows.pslist
+# scan for all EPROCESS structures
+python3 vol.py -f win.dmp windows.psscan
+# show process tree
+python3 vol.py -f win.dmp windows.pstree
+# show cross view of process listings
+python3 vol.py -f win.dmp windows.psxview
+# list dlls loaded by PID
+python3 vol.py -f win.dmp windows.dlllist --pid 1337
+# extract all memory mapped regions
+python3 vol.py -f win.dmp windows.memmap --pid 1337 --dump
+# list handles opened by PID
+python3 vol.py -f win.dmp windows.handles --pid 1337
+# scan for network objects
+python3 vol.py -f win.dmp windows.netscan
+# show command history
+python3 vol.py -f win.dmp windows.cmdline
+# scan for rogue activity
+python3 vol.py -f win.dmp windows.malfind
+# list registry hives mapped in memory, based on OS structures
+python3 vol.py -f win.dmp windows.registry.hivelist
+# scan raw memory for registry hives
+# based on hive signatures
+# can find hives not loaded in OS structures, or corrupted hives
+python3 vol.py -f win.dmp windows.registry.hivescan
+# extract files from process memory
+python3 vol.py -f memory.dmp windows.dumpfiles --pid 1337 -o ~/outputpid1337/
+# scan with YARA rules
+python3 vol.py -f memory.dmp windows.yarascan --yara-file=rule.yar
+```
## Strings
@@ -158,21 +192,22 @@ See `man strings` for other encoding options.
## Summary
-- summary
+- we use `volatility` to analyze the memory dumps
+- unix memory dumps require a symbols table for `volatility` to read them
+- we look for suspicious processes, running from unexpected locations
+- we check for network connections
+- we look for the any commands from the shell history
+- we dump the files and investigate further
## Drills
-### Challenge 1
-
-Description
-
-### Challenge 2
+### untitled
-Description
+During a routine audit, a new local account was found on this workstation with no justification for its creation. The system was flagged for unusual activity and a memory capture tas taken. Find the flag.
-### Challenge 3
+### plainsight
-Description
+We collected this memory dump, see if you can make sense of it.
## Further reading
From 337baec57e89dd1d413a5895f1fa0690efa0e95a Mon Sep 17 00:00:00 2001
From: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
Date: Fri, 3 Jul 2026 13:09:03 +0300
Subject: [PATCH 16/16] Add challs lesson 5
Signed-off-by: Andreea Iacob <98848204+haarlems@users.noreply.github.com>
---
.../drills/plainsight/README.md | 30 ++++++++++++
.../drills/plainsight/solution/solution.md | 44 +++++++++++++++++
.../drills/untitled/README.md | 17 +++++++
.../drills/untitled/solution/solution.md | 49 +++++++++++++++++++
4 files changed, 140 insertions(+)
create mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/plainsight/README.md
create mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/plainsight/solution/solution.md
create mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/untitled/README.md
create mode 100644 chapters/digital-forensics-fundamentals/05-memory-analysis/drills/untitled/solution/solution.md
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/plainsight/README.md b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/plainsight/README.md
new file mode 100644
index 0000000..f01e7d4
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/plainsight/README.md
@@ -0,0 +1,30 @@
+
+# plainsight
+
+We collected this memory dump, see if you can make sense of it.
+
+Artifacts:
+`evidence.mem`
+
+1. What time did the malicious process id start?
+
+The flag format is `SSS{yyyy-MM-dd-hh:mm:ss}`
+
+2. What is its physical memory offset?
+
+The flag format is `SSS{offset}`
+
+3. What path on disk does it run from?
+
+The flag format is `SSS{\path\to\file}`
+
+Hint 1:
+what non standard windows process is running?
+
+Hint 2:
+how does volatility show the physical memory offsets?
+
+Hint 3:
+what process listing shows us the full path?
+
+Solution in `../solution/`
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/plainsight/solution/solution.md b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/plainsight/solution/solution.md
new file mode 100644
index 0000000..fca5f30
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/plainsight/solution/solution.md
@@ -0,0 +1,44 @@
+# Solution
+
+1. What time did the malicious process id start?
+
+The flag format is `SSS{yyyy-MM-dd-hh:mm:ss}`
+
+``` bash
+# we run pslist and notice a system.exe which is not a regular system application
+$ vol -f evidence.mem windows.pslist
+PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
+[..]
+9744 7688 conhost.exe 0x8c0c9b1f3080 3 - 1 False 2026-07-01 17:28:53.000000 UTC N/A Disabled
+7688 1580 system.exe 0x8c0c9d1cf0c0 20 - 1 True 2026-07-01 17:28:53.000000 UTC N/A Disabled
+# we reconstruct the flag
+SSS{2026-07-01-17:28:53}
+```
+
+2. What is its physical memory offset?
+
+The flag format is `SSS{offset}`
+
+``` bash
+# we see it in the psscan output with the --physical flag
+$ vol -f evidence.mem windows.psscan --physical
+PID PPID ImageFileName Offset(P) Threads Handles SessionId Wow64 CreateTime ExitTime File output
+[..]
+7688 1580 system.exe 0x3af8e0c0 20 - 1 True 2026-07-01 17:28:53.000000 UTC N/A Disabled
+# we reconstruct the flag
+SSS{0x3af8e0c0}
+```
+
+3. What path on disk does it run from?
+
+The flag format is `SSS{\path\to\file}`
+
+``` bash
+# we look at the process tree
+$ vol -f evidence.mem windows.pstree
+PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime Audit Cmd Path
+[..]
+*** 7688 1580 system.exe 0x8c0c9d1cf0c0 20 - 1 True 2026-07-01 17:28:53.000000 UTCN/A \Device\HarddiskVolume3\Users\test1\AppData\LocalLow\Microsoft\Internet Explorer\system.exe - -
+# we reconstruct the flag
+SSS{C:\Users\test1\AppData\LocalLow\Microsoft\Internet Explorer\system.exe}
+```
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/untitled/README.md b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/untitled/README.md
new file mode 100644
index 0000000..2870c6e
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/untitled/README.md
@@ -0,0 +1,17 @@
+
+# untitled
+
+During a routine audit, a new local account was found on this workstation with no justification for its creation. The system was flagged for unusual activity and a memory capture tas taken. Find the flag.
+
+Artifacts:
+`ftk.mem`
+
+Hint 1:
+what processes were started by the new account?
+
+Hint 2:
+did you check the memory map of a process started by the new account for the flag?
+
+Hint 3: the flag is not visible with plain strings, because it is not a plain string.
+
+Solution in `../solution/`
diff --git a/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/untitled/solution/solution.md b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/untitled/solution/solution.md
new file mode 100644
index 0000000..e4e2596
--- /dev/null
+++ b/chapters/digital-forensics-fundamentals/05-memory-analysis/drills/untitled/solution/solution.md
@@ -0,0 +1,49 @@
+# Solution
+
+``` bash
+# first we check the image for info
+$ vol -f ftk.mem windows.info
+Variable Value
+Kernel Base 0xf803c1000000
+DTB 0x1ae000
+Symbols file:~/vol3-venv/lib/python3.9/site-packages/volatility3/symbols/windows/ntkrnlmp.pdb/11D7FE79CC245612055503EE86BB0E3E-1.json.xz
+Is64Bit True
+IsPAE False
+layer_name 0 WindowsIntel32e
+memory_layer 1 FileLayer
+KdVersionBlock 0xf803c1e0a9a0
+Major/Minor 15.26100
+MachineType 34404
+KeNumberProcessors 2
+SystemTime 2026-06-18 08:10:50+00:00
+NtSystemRoot C:\WINDOWS
+NtProductType NtProductWinNt
+NtMajorVersion 10
+NtMinorVersion 0
+PE MajorOperatingSystemVersion 10
+PE MinorOperatingSystemVersion 0
+PE Machine 34404
+PE TimeDateStamp Mon Dec 3 21:59:54 2046
+# we list the sessions to see per process usernames
+# we find a systemid user, hinted in the description
+# we find a notepad spawned by powershell
+$ vol -f ftk.mem windows.sessions
+Session ID Session Type Process ID Process User Name Create Time
+[..]
+1 - 10084 powershell.exe test/systemid 2026-06-18 08:09:41.000000 UTC
+1 - 10092 conhost.exe test/systemid 2026-06-18 08:09:41.000000 UTC
+1 - 3760 notepad.exe test/systemid 2026-06-18 08:09:58.000000 UTC
+# we list the processes
+$ vol -f ftk.mem windows.pslist
+[..]
+10084 10012 powershell.exe 0xe2819f2fb080 12 - 1 False 2026-06-18 08:09:41.000000 UTC N/A Disabled
+3760 10084 notepad.exe 0xe2819b9e80c0 1 - 1 False 2026-06-18 08:09:58.000000 UTC N/A Disabled
+# we dump the memory of the notepad process
+$ vol -f ftk.mem windows.memmap --pid 3760 --dump
+# we grep for the flag with strings for UTF-16LE strings, common in Windows
+$ strings -e l pid.3760.dmp | grep -i flag
+The flag is RkZGe3N2WTNfZTNwYklyZUxfanZNNGVxZWx9
+# we base64 rot13 decode it to get the flag
+$ echo "RkZGe3N2WTNfZTNwYklyZUxfanZNNGVxZWx9" | base64 -d | tr 'A-Za-z' 'N-ZA-Mn-za-m'
+SSS{fiL3_r3coVerY_wiZ4rdry}
+```