frictf_forensics_presentation/presentation.md

---
title: FRIctf{forenzika} 
author: DragonSec
patat:
  eval:
    figlet:
      command: figlet
      fragment: false
      replace: true
---

```figlet
FORENZIKA

FRIctf 2022
```
---

```figlet
KAJ JE FORENZIKA ?
```
* Steganografija
* Analiza "memory dumpov"
* Analiza tcp/udp paketov

Basically vse kjer je potrebno izlusciti neko skrito informacijo.

---

```figlet
ANALIZA SLIK
```

* Najprej si oglejmo sliko
```bash
feh images/PXL_20220920_141456208.jpg

# Poglejmo drobovje slike
carbon :: ctf/2022/frictf_forensics_presentation » hexdump  -C images/PXL_20220920_141456208.jpg | head
00000000  ff d8 ff e1 dc 66 45 78  69 66 00 00 49 49 2a 00  |.....fExif..II*.|
00000010  08 00 00 00 0d 00 00 01  03 00 01 00 00 00 d0 0b  |................|
00000020  00 00 01 01 03 00 01 00  00 00 c0 0f 00 00 0f 01  |................|
00000030  02 00 07 00 00 00 aa 00  00 00 10 01 02 00 0b 00  |................|
00000040  00 00 b1 00 00 00 12 01  03 00 01 00 00 00 01 00  |................|
00000050  00 00 1a 01 05 00 01 00  00 00 bc 00 00 00 1b 01  |................|
00000060  05 00 01 00 00 00 c4 00  00 00 28 01 03 00 01 00  |..........(.....|
00000070  00 00 02 00 00 00 31 01  02 00 15 00 00 00 cc 00  |......1.........|
00000080  00 00 32 01 02 00 14 00  00 00 e1 00 00 00 13 02  |..2.............|
00000090  03 00 01 00 00 00 01 00  00 00 69 87 04 00 01 00  |..........i.....|
```

---

```figlet
EXIFTOOL
```

* Orodje, ki izlusci vse informacije, ki jih slika/video/gif hrani.

```bash
carbon :: ctf/2022/frictf_forensics_presentation » exiftool images/PXL_20220920_141456208.jpg | grep -i Date
File Modification Date/Time     : 2022:10:03 22:17:56+02:00
File Access Date/Time           : 2022:10:13 16:01:45+02:00
File Inode Change Date/Time     : 2022:10:03 22:17:56+02:00
Modify Date                     : 2022:09:20 16:14:56
Date/Time Original              : 2022:09:20 16:14:56
Create Date                     : 2022:09:20 16:14:56
GPS Date Stamp                  : 2022:09:20
Profile Date Time               : 2016:12:08 09:38:28
Create Date                     : 2022:09:20 16:14:56.208+02:00
Date/Time Original              : 2022:09:20 16:14:56.208+02:00
Modify Date                     : 2022:09:20 16:14:56.208+02:00
GPS Date/Time                   : 2022:09:20 14:14:55Z
```
---

```figlet
EXIFTOOL
```

```bash
carbon :: ctf/2022/frictf_forensics_presentation 130 » exiftool images/PXL_20220920_141456208.jpg  | grep -i gps
GPS Latitude Ref                : North
GPS Longitude Ref               : East
GPS Altitude Ref                : Above Sea Level
GPS Time Stamp                  : 14:14:55
GPS Img Direction Ref           : Magnetic North
GPS Img Direction               : 295
GPS Date Stamp                  : 2022:09:20
GPS Altitude                    : 339.1 m Above Sea Level
GPS Date/Time                   : 2022:09:20 14:14:55Z
GPS Latitude                    : 46 deg 1' 53.06" N
GPS Longitude                   : 14 deg 29' 1.37" E
GPS Position                    : 46 deg 1' 53.06" N, 14 deg 29' 1.37" E
```
---

```figlet
FORENSICS == STRINGS & GREP :-)
```
```bash
carbon :: ctf/2022/frictf_forensics_presentation 1 » exiftool images/PXL_20220920_141456208.jpg | grep -i comment
Comment                         : ctf{yay_my_first_forensic_flag}

```
---

```figlet
CYBERCHEF

VOLATILITY
```
---

```figlet
APERISOLVE

WIRESHARK
```
---

```Figlet
DELAVNICE
```
* @Pixel  -> memory dump challenge
* @spanskiduh -> packet capture challenge

```figlet
VPRASANJA ?
```
first commit 2022-10-03 21:33:22 +02:00			`---`
Analiza slik done 2022-10-03 23:08:20 +02:00			`title: FRIctf{forenzika}`
			`author: DragonSec`
first commit 2022-10-03 21:33:22 +02:00			`patat:`
			`eval:`
			`figlet:`
			`command: figlet`
			`fragment: false`
			`replace: true`
			`---`
Analiza slik done 2022-10-03 23:08:20 +02:00
Gre gor 2022-10-06 18:18:22 +02:00			```figlet
			`FORENZIKA`

			`FRIctf 2022`
			```
			`---`

first commit 2022-10-03 21:33:22 +02:00			```figlet
Analiza slik done 2022-10-03 23:08:20 +02:00			`KAJ JE FORENZIKA ?`
first commit 2022-10-03 21:33:22 +02:00			```
Gre gor 2022-10-06 18:18:22 +02:00			`* Steganografija`
Analiza slik done 2022-10-03 23:08:20 +02:00			`* Analiza "memory dumpov"`
			`* Analiza tcp/udp paketov`

			`Basically vse kjer je potrebno izlusciti neko skrito informacijo.`
first commit 2022-10-03 21:33:22 +02:00
			`---`

Analiza slik done 2022-10-03 23:08:20 +02:00			```figlet
			`ANALIZA SLIK`
			```

			`* Najprej si oglejmo sliko`
			```bash
			`feh images/PXL_20220920_141456208.jpg`
first commit 2022-10-03 21:33:22 +02:00
Analiza slik done 2022-10-03 23:08:20 +02:00			`# Poglejmo drobovje slike`
Presentation updated 2022-10-13 16:49:33 +02:00			`carbon :: ctf/2022/frictf_forensics_presentation » hexdump -C images/PXL_20220920_141456208.jpg \| head`
			`00000000 ff d8 ff e1 dc 66 45 78 69 66 00 00 49 49 2a 00 \|.....fExif..II*.\|`
			`00000010 08 00 00 00 0d 00 00 01 03 00 01 00 00 00 d0 0b \|................\|`
			`00000020 00 00 01 01 03 00 01 00 00 00 c0 0f 00 00 0f 01 \|................\|`
			`00000030 02 00 07 00 00 00 aa 00 00 00 10 01 02 00 0b 00 \|................\|`
			`00000040 00 00 b1 00 00 00 12 01 03 00 01 00 00 00 01 00 \|................\|`
			`00000050 00 00 1a 01 05 00 01 00 00 00 bc 00 00 00 1b 01 \|................\|`
			`00000060 05 00 01 00 00 00 c4 00 00 00 28 01 03 00 01 00 \|..........(.....\|`
			`00000070 00 00 02 00 00 00 31 01 02 00 15 00 00 00 cc 00 \|......1.........\|`
			`00000080 00 00 32 01 02 00 14 00 00 00 e1 00 00 00 13 02 \|..2.............\|`
			`00000090 03 00 01 00 00 00 01 00 00 00 69 87 04 00 01 00 \|..........i.....\|`
Analiza slik done 2022-10-03 23:08:20 +02:00			```
first commit 2022-10-03 21:33:22 +02:00
Analiza slik done 2022-10-03 23:08:20 +02:00			`---`
Presentation updated 2022-10-13 16:49:33 +02:00
Analiza slik done 2022-10-03 23:08:20 +02:00			```figlet
			`EXIFTOOL`
			```

			`* Orodje, ki izlusci vse informacije, ki jih slika/video/gif hrani.`

			```bash
Presentation updated 2022-10-13 16:49:33 +02:00			`carbon :: ctf/2022/frictf_forensics_presentation » exiftool images/PXL_20220920_141456208.jpg \| grep -i Date`
			`File Modification Date/Time : 2022:10:03 22:17:56+02:00`
			`File Access Date/Time : 2022:10:13 16:01:45+02:00`
			`File Inode Change Date/Time : 2022:10:03 22:17:56+02:00`
			`Modify Date : 2022:09:20 16:14:56`
			`Date/Time Original : 2022:09:20 16:14:56`
			`Create Date : 2022:09:20 16:14:56`
			`GPS Date Stamp : 2022:09:20`
			`Profile Date Time : 2016:12:08 09:38:28`
			`Create Date : 2022:09:20 16:14:56.208+02:00`
			`Date/Time Original : 2022:09:20 16:14:56.208+02:00`
			`Modify Date : 2022:09:20 16:14:56.208+02:00`
			`GPS Date/Time : 2022:09:20 14:14:55Z`
			```
			`---`

			```figlet
			`EXIFTOOL`
			```

			```bash
			`carbon :: ctf/2022/frictf_forensics_presentation 130 » exiftool images/PXL_20220920_141456208.jpg \| grep -i gps`
			`GPS Latitude Ref : North`
			`GPS Longitude Ref : East`
			`GPS Altitude Ref : Above Sea Level`
			`GPS Time Stamp : 14:14:55`
			`GPS Img Direction Ref : Magnetic North`
			`GPS Img Direction : 295`
			`GPS Date Stamp : 2022:09:20`
			`GPS Altitude : 339.1 m Above Sea Level`
			`GPS Date/Time : 2022:09:20 14:14:55Z`
			`GPS Latitude : 46 deg 1' 53.06" N`
			`GPS Longitude : 14 deg 29' 1.37" E`
			`GPS Position : 46 deg 1' 53.06" N, 14 deg 29' 1.37" E`
			```
			`---`

			```figlet
			`FORENSICS == STRINGS & GREP :-)`
			```
			```bash
			`carbon :: ctf/2022/frictf_forensics_presentation 1 » exiftool images/PXL_20220920_141456208.jpg \| grep -i comment`
			`Comment : ctf{yay_my_first_forensic_flag}`

			```
			`---`

			```figlet
			`CYBERCHEF`

			`VOLATILITY`
			```
			`---`

			```figlet
			`APERISOLVE`

			`WIRESHARK`
			```
			`---`

			```Figlet
			`DELAVNICE`
			```
			`* @Pixel -> memory dump challenge`
			`* @spanskiduh -> packet capture challenge`

			```figlet
			`VPRASANJA ?`
Analiza slik done 2022-10-03 23:08:20 +02:00			```