🕵️ Welcome to the Null404 DFIR CTF – FY25Q3

Sponsored by ArcLight6


🧭 Getting Started

Welcome to the Null404 DFIR Capture The Flag, a digital forensics challenge designed to test your investigation skills in a simulated enterprise breach scenario. This event is proudly sponsored by ArcLight6.

📦 Required Materials

Download the KAPE triage packages used throughout the competition:

Note: When downloading the Kape files, you may see the following message: "Google Drive can't scan this file for viruses. NULL404Q3CTF.7z (389 MB) is too large for Google to scan for viruses. Would you still like to download this file?" This is a standard Google Drive warning for large files. The file is safe to download and can be trusted.

Note: These packages are encrypted. The decryption password will be revealed in the first challenge when the CTF begins.

SHA256: a24544556739db319afb026881894e315adde26ad9382de28a405c0bb84a4daa - NULL404Q3CTF.7z

🧩 Note: Some questions in this CTF are sequential and will remain locked until you answer prerequisite questions. Make sure to work through each section in order to unlock the full investigation path.

Rules of Engagement

  • No Brute Forcing: Do not brute-force flags, endpoints, or login pages. All challenges are solvable with analysis and reasoning.
  • No Attacking the Infrastructure: Do not run scans, exploit vulnerabilities, or attempt to disrupt the CTF platform.
  • No Sharing Flags: Work on your own or with your team. Sharing answers or solutions with other teams is not allowed.
  • AI: If you choose to use any AI platform, please do so at your own discretion. Make sure you continue to learn and have fun along the way.
  • No Automation or Scripts: Unless a challenge explicitly permits it, do not use automated tools to interact with the platform.
  • Be Respectful: Treat all participants with respect and uphold the spirit of healthy competition.
  • Report Issues: If you discover a bug or have questions, contact the organizers. Do not exploit platform flaws.
  • Have Fun & Learn: The main goal is to develop your DFIR skills. Enjoy the challenges and grow!

🚀 How to Begin Analysis

  1. 📂 Unzip the triage archive using your preferred archive tool (e.g., 7-Zip). Remember, it is password protected.
  2. 🔍 Analyze the files using tools like the Eric Zimmerman Suite.
  3. 🧠 Focus your investigation on event logs, registry hives, browser activity, and file system metadata.
  4. 🔍 Quick Reference guides:

    For guidance during your investigation, check out these comprehensive DFIR cheat sheets:

    DFIR Training Cheat Sheets & Infographics

    Topics include:

    • Windows Forensic Analysis
    • Memory Forensics
    • Malware Analysis
    • Network Forensics
    • And more

    Use these resources to help uncover critical evidence and guide your analysis.


    🌐 Network Overview

    The environment simulates a small enterprise network impacted by a targeted attack. You will encounter systems such as:

    • VUSE-DC01 (10.3.10.10) – Domain Controller
    • VUSE-SVR01 (10.3.10.22) – SMB File Server
    • VUSE-WS01 (10.3.10.30) – User Workstation
    • VUSE-WS02 (10.3.10.31) – User Workstation

    The diagram below provides a high-level view of the Vuse Corporation network topology:

    VUSE Network Diagram

    📂 Artifacts Included

    The triage packages collected via KAPE contain various forensic artifacts, including:

    • 📁 Master File Table (MFT)
    • 🕒 Prefetch files
    • 📑 Event Logs (EVTX)
    • 🌐 Browser History
    • 🧠 AmCache and ShimCache
    • 🔍 Registry Hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT)
    • 🚀 Scheduled Tasks
    • 🔧 Services and Startup Items
    • 💬 Recent Files and Jump Lists

    🏆 Objectives

    • Analyze triaged artifacts to answer questions and earn points
    • Track the attacker’s movements and behavior
    • Reconstruct the timeline of compromise
    • Identify persistence mechanisms and lateral movement
    • Attribute the attack and determine the method of exfiltration

    Use your DFIR skills, follow the artifacts, and expose the threat actor’s playbook.

    — The Null404 DFIR Team