Jeopardy Style CTF Resources

Figure 1: Screenshot of CTFd demo site

Capture the Flags type contests are fun. You may remember them from Real Lifeā„¢, where you have a couple of teams pitted against each other and each team has a base with a flag, each team has to storm (of course, sometimes sneaking is the better play) the opposing base and physically steal the other team’s flag. This game model has been digitised in a number of ways over the years. One of the more accessible ways is its incorporation into computer games, the one I’m most familiar with is Team Fortress, a Half-Life mod which I believe is still going relatively strongly despite it being out for longer than 15 years now.

But those sorts of Capture the Flag games are not what this post is about, oh no. Instead I’m going to delve into the world of geekdom inspired by these real world examples. In the type of game I will be discussing the goal is to solve technical computer puzzles to find a small piece of data hidden somewhere which acts as the flag for that challenge.

Continue reading “Jeopardy Style CTF Resources”

EnCase EnScript Resources for Learning

Caveat: A lot of the resources mentioned below are quite old, as a result, Your Mileage May Vary.

I’m starting to take a deep dive into EnScript in EnCase, and I was lamenting the lack of freely available resources, but lo and behold Today I struck gold and found a few resources that had escaped my attention before now, so I thought I’d do a quick post collating what I found.

First and foremost is an EnScript research paper-turned tutorial that I was surprised to see was freely available. If it goes away at any stage you should be able to get a copy on the Way Back Machine. (Just found this copy by chance too, from a site that seems to have some permanence:

The paper had a number of references to other resources which I’ll list below:

Outside of that I found a few other resources, here are two tutorial documents:

Then of course you have Simon Key’s Github page which hosts a few EnScript samples. Simon Key is a “Sr. Principal Courseware Developer at OpenText” according to his LinkedIn page, so you should be able to learn from his samples how an EnScript should be.

Just as an example of a discussion thread here is one that can be found over on the Forensic Focus forums, so if you run into difficulties you may even be able to get some help.

There’s a YouTube video from Guidance Software discussing the utility of EnScript plug-ins during an investigation.

Finally, I’ll also be leaning on the EnScript chapter from this O’Reilly book

That should be enough to get me off the ground, if I find any more I’ll add them here. If you have any suggestions for resources, feel free to let me know.

Regenerate Message Typed as captured in a USB Keyboard Packet Capture


I was recently presented with a packet capture file to perform some forensics on it as a challenge and see if I could find the hidden message. Naturally, it being a packet capture I fired up Wireshark only to be faced with a very bland single colour screen, quite different from the usual network captures most would be used to when using Wireshark (see Figure 1 below). There was none of the usual indication of different protocols broken down by colour. This was going to be a different type of challenge, and one I was going to learn a lot from, I knew I would enjoy it, and I sure did!

Figure 1: Bland, colour-free Wireshark window
Continue reading “Regenerate Message Typed as captured in a USB Keyboard Packet Capture”

Sunday Quicky #7: GOSI Certified!

Yesterday, with 3 days left on my deadline, I completed the GIAC Open Source Intelligence certifications exam with a score of 91%. Needless to say I was pretty delighted. I’m still unsure which of the following questions had the biggest impact on my certification exam result: Was the exam too easy? Did I prepare very well? Was the training provided so good that it was inevitable?

I’m leaning towards a combination of the training and my preparation. To be fair the “SANS SEC487 Open-Source Intelligence (OSINT) Gathering and Analysis” covered a breadth and depth of topics, and covered them well. A series of books are made available to course participants, one for each day of the course, and since the exam is open book, these materials are vital to your success in the exam. I did learn many new tools and techniques. However, if you’re a seasoned OSINTer you may find the course a bit foundational and remedial and it might be better to do one of their more advanced courses. But in terms of how I scored so well, as you might expect, every question asked in the exam could be answered from the pages of the training materials.

This brings me to my preparation, the books provided are between 140 to 180 pages each. Needless to say you can’t page through those materials for each of the 75 questions you get asked in the 2 hours you have to do the exam. So a big shout out has to go to Lesley Carhart for her blog post on her “Pancakes Index System”. It would not have been possible to efficiently work through the materials without an index, and I went with the Pancakes Index System, and it definitely worked and ended up looking like this:

Figure 1: Pancakes Index System in operation

Following the putting together of my index, I then completed the two practice tests. The practice tests were very close to the actual exam in terms of the format of the questions and provided great preparation for the exam itself.

And there you have it. A great course with a great instructor @dutch_osintguy in my case, and enthusiastic class mates led to a great experience and now, thankfully, another successfully completed certification exam.

A Collection of OSINT related Bookmarks

I recently completed the SANS SEC487 course in Open-Source Intelligence Gathering and Analysis. I also signed up to do the related GIAC Open Source Intelligence Certification exam. I really don’t want to be in the position of failing that exam, so I’m thoroughly preparing for it.

While conducting my preparations I have been slowly collecting the various resources that were used during the course into a list of bookmarks that I can share with the world. These bookmarks are available from the OSINT Bookmark Collection from github repository as a html file that can be imported into your browser (right click -> save file, for best results). For anyone who has never imported bookmarks before or even for those who do it very irregularly a set of instructions can be found below.

Continue reading “A Collection of OSINT related Bookmarks”

Sunday Quicky #6: Essential Initial Git Settings on Linux When 2FA is Set Up on Github

So you’re set up on Github, and being the privacy conscious person you are you have Two Factor Authentication turned on. You’ve added a personal access token so that you can push from repos from a machine. Now you have a new install of Git on some flavour of Linux and you want to configure Git on the command line to be as frictionless as possible while you’re using it, while still remaining secure. What you really need for this is to set up credential caching so that you won’t need to enter your password every time you run git push. Let’s explore this and some other initial configuration steps that will make use of Git that much easier.

Continue reading “Sunday Quicky #6: Essential Initial Git Settings on Linux When 2FA is Set Up on Github”

Sunday Quicky #5: A Handy Bookmarklet for Analysis

I’m not going to lie, I hadn’t heard of bookmarklets until earlier this year at one of the SANS summits. They were quite the revelation. Their potential at automating collection and analysis of data was very obvious and very powerful. However, up until Today I hadn’t come across a compelling reason to make a bookmarklet. If you already know what bookmarklets are skip the next section to see what I made.

What are bookmarklets anyway?

Bookmarklets allow you to use javascript code in a bookmark in order to enable automation of some action. That’s a very brief summary and it’s not a whole deal more complicated than that but for a bigger explanation and a few more examples go visit this article on bookmarklets.

Continue reading “Sunday Quicky #5: A Handy Bookmarklet for Analysis”

Timeline Chart Tool

Figure 1: Sample Timeline Chart

So you need a timeline chart and you need it for work. No worries, services exist for creating beautiful charts online, Lucidchart being one of the best examples (not a sponsor). But… You need the chart for work, you need it to contain sensitive data for internal use only, you may even need to include the dreaded PII (Personally Identifiable Information).

Now, are any of these chart producing services going to leak your data? It’s not likely to be honest. Am I saying don’t trust Lucidchart for example? Not necessarily. But I am particularly sensitive to the risk of data leaks due to having come from a Law Enforcement background where a PII leak could lead to loss of employment. Also I have recently completed a course in Cyber Security. These are both huge factors in my sensitivity to the risk of a data breach that could occur by using a third party service. Just think, if Lucidchart were to suffer a breach that in turn led to breach of data contained in charts created by you on that service, you might in turn also have to report a breach, it’s all very complicated at that stage.

The solution? Roll your own, read on for a relatively easy way to create your own timeline chart without ever having to reach out to an online service with data you don’t want exposed.

Continue reading “Timeline Chart Tool”

Sunday Quicky #4: Creating a New Github Project

I have already done the bulk of the work on this, but it has a lot of waffle around it, so this will be a more straight to the point version.

Step One: Create Git Local Repository

Figure 1: Create local repository

Traditionally you add a file first and initialise the repository, then add the new file and commit it.

Continue reading “Sunday Quicky #4: Creating a New Github Project”