ctf-forensics

Quick reference for forensics CTF challenges. Each technique has a one-liner here; see supporting files for full details. See disk-and-memory.md for full Volatility plugin reference, VM forensics, and coredump analysis. See linux-forensics.md for Linux attack chain analysis and Docker image forensics. Key Event IDs: RDP Session IDs (TerminalServices-LocalSessionManager): See windows.md for full event ID tables, registry analysis, SAM parsing, USN journal, and anti-forensics detection. If attacker cleared event logs, use these alternative sources: See windows.md for detailed parsing code and anti-forensics detection checklist. Binary border stego: Black/white pixels in 1px image border encode bits clockwise FFT frequency domain: Image data hidden in 2D FFT magnitude spectrum; try np.fft.fft2 visualization DTMF audio: Phone tones encoding data; decode with multimon-ng -a DTMF Multi-layer PDF: Check hidden comments, post-EOF data, XOR with keywords, ROT18 final layer SSTV + LSB: SSTV signal may be red herring; check 2-bit LSB of audio samples with stegolsb SVG keyframes: Animation keyTimes / values attributes encode binary/Morse via fill color alternation PNG chunk reorder: Fix chunk order: IHDR → ancillary → IDAT (in order) → IEND File overlays: Check after IEND for appended archives with overwritten magic bytes Custom freq DTMF: Non-standard dual-tone frequencies; generate...