CTF 101 Series: What is Forensics?
A Capture-the-Flag or “CTF” is a cybersecurity competition designed to test and sharpen security skills through hands-on challenges that simulate real-world situations. MetaCTF offers training in eight different categories: Binary Exploitation, Cryptography, Web Exploitation, Forensics, Reconnaissance, Reverse Engineering, CyberRange, and Other / Miscellaneous. This blog is part of a series that explains what each category covers, why the subject is important, and how to approach these problems.
What is forensics?
Digital forensics (a.k.a. computer forensics) is the process of finding and analyzing the information collected from a computer or network, with the goal of reconstructing a malicious actor’s behavior. Companies often perform forensic analysis after they have detected an intruder in their system, with the aims of both limiting further invasion and damage, as well as determining what the hacker did and how they got into the network.
Forensics investigators play the role of cyber detective, asked to determine the who, what, where, when, and why of the attack. Much like a detective at a crime scene, forensics investigators need to find evidence to help them reconstruct a timeline of what the hacker did and how they got into the network.
Hackers typically break into systems to either steal information (e.g. the 2014 SONY hack), or shut a system down and ask for ransom (e.g. the 2021 Colonial Pipeline hack). Regardless of the hacker’s motive, companies are in a stronger position to prevent and respond to attacks if employees understand how to record and find the information needed to monitor the hacker’s behavior.
How to solve a forensics CTF challenge
In a typical forensics CTF, you likely will not be reconstructing the timeline of an entire cyber security attack. Instead, you will practice the fundamentals of digital forensics. The instructions will ask you to find some type of information, like the identity of an employee exfiltrating internal documents or the name of a malicious process.
Your first step toward a solution should be to take inventory of the information you have. You will certainly be given some type of file (like a photo, memory image, or network package capture).
Next, see what information you can glean from the file to help you answer the question. It often helps to look at the file’s metadata. For example, if you receive a photo, you may be able to garner information about who took the photo or where they took it. It may be useful to use a tool like ExifTool to examine the metadata, or to apply steganography techniques.
To find the answer, use your best detective skills. Keep looking for clues and follow them as far as they will take you until you have found the flag. Your greatest assets will be organization and relentless curiosity.
Resources to learn more about forensics training
- CTF101's forensics overview
- GitHub "Awesome Forensics" thread
- EC-Council's "What Is Digital Forensics?"
Want to learn more about cybersecurity training options for your team? Schedule a demo here or email us at contact@metactf.com.