ctf-forensics

Comprehensive digital forensics and signal analysis toolkit for CTF challenges across disk, memory, network, and steganography domains. Quick reference for forensics CTF challenges. Each technique has a one-liner here; see supporting files for full details. Python packages (all platforms): Linux (apt): macOS (Homebrew): Ruby gems (all platforms): See disk-and-memory.md for full Volatility plugin reference, VM forensics, and coredump analysis. See linux-forensics.md for Linux attack chain analysis and Docker image forensics. Key Event IDs: RDP Session IDs (TerminalServices-LocalSessionManager): See windows.md for full event ID tables, registry analysis, SAM parsing, USN journal, and anti-forensics detection. If attacker cleared event logs, use these alternative sources: See windows.md for detailed parsing code and anti-forensics detection checklist. Binary border stego: Black/white pixels in 1px image border encode bits clockwise FFT frequency domain: Image data hidden in 2D FFT magnitude spectrum; try np.fft.fft2 visualization DTMF audio: Phone tones encoding data; decode with multimon-ng -a DTMF Multi-layer PDF: Check hidden comments, post-EOF data, XOR with keywords, ROT18 final layer SSTV + LSB: SSTV signal may be red herring; check 2-bit LSB of audio samples with stegolsb SVG keyframes: Animation keyTimes / values attributes encode binary/Morse via fill color alternation...