Forensics Challenge Message and Hints

Author: AOrps

forensics/HASH-browns/README.md

@@ -4,4 +4,13 @@
 ## Solution 
 ```bash
 openssl md5 file* | awk '{print $2}' | python3 -c 'import sys;data = sys.stdin.read(); print(sum([int(f"{line[-4:]}", 16) for line in data.split("\n") if line != ""]))'
-```
+```
+
+
+--- 
+
+## Challenge Message 
+Before you can start your day, you must eat breakfast. Not just any ordinary breakfast though — hash browns fit for a hero! While eating your hashbrowns, you must get the decimal sum of the last 4 digits of all each file from your virtual breakfast in order to properly digest your breakfast and awaken your superpowers. This breakfast is md(mmmmm) good
+
+## Challenge Hints
+* Did you convert it from hex to decimal? And did you make sure to get only the last 4 digits? Also make sure it is between the jctf{} flag formatter.

forensics/alternate-reality/README.md

@@ -17,3 +17,10 @@ cat flag.txt:hidden
 ```
 
 Flag: jctf{FL492 1N 73h S7r34M}
+
+--- 
+
+## Challenge Message 
+# Challenged by **SpecterOps**
+
+It turns out that there are not one, but two disks in the PC. Finding the flag in the previous disk left you confused. Seems like you will have to find the flag in this forensic disk image too!

forensics/closed-creds/README.md

@@ -14,3 +14,13 @@ john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
 
 
 Flag: jctf{Password1}
+
+--- 
+
+## Challenge Message 
+The clues from the camera led you to a mysterious building. Surprisingly, the front door was left unlocked. Unsurprisingly, the computer in the headquarters was not left unlocked. Using the registry files provided, will you be able to crack the password of the Administrator user?
+
+
+## Challenge Hints
+* Research dumping hashes from SAM.
+* Submit the flag in the following format: **jctf{flag}**.

forensics/data-about-data/README.md

@@ -9,3 +9,11 @@ exiftool photo.jpg
 ```
 
 Flag: jctf{4lW4Ys_cH3ck_TH3_M3T4D4t4}
+
+--- 
+
+## Challenge Message 
+It seems the robber was captured on the bank’s CCTV. For some reason, the camera data seems to be zipped. Search through the zip archive to find anything out of the ordinary, in the form of a flag!
+
+## Challenge Hints
+Cameras produce a lot of metadata.

forensics/file-desc/README.md

@@ -1 +1,13 @@
 # file-desc
+
+
+
+--- 
+
+## Challenge Message 
+# Challenged by **NJCCIC**
+
+Congratulations, you’re a cybersecurity superhero now! You’ve received a letter explaining your newfound skills, but are having trouble with opening the letter. It would be so much easier to read if only you knew what file type was...
+
+## Challenge Hints
+* Did you add the output to jctf{INSERT_FILE_TYPE_HERE}?

forensics/investigating-windows/README.md

@@ -12,3 +12,13 @@ perl /usr/share/windows-resources/regripper/rip.pl -r ./software -p profilelist
 Flag: jctf{S-1-5-21-1410353290-3892556988-1991803543-1001}
 
 
+--- 
+
+## Challenge Message 
+A robber has broken through the Windows into the municipal bank! The civilians of the city have called upon you to identify and capture the villain. 
+
+Use your heroic forensics superpowers to find the SID of the user robbr using the Windows registry files provided!
+
+## Challenge Hints
+* Try reg ripper?
+* Submit the flag in the following format: **jctf{flag}**.

forensics/pw-backup/README.md

@@ -10,4 +10,10 @@ contains a USB pcap file that has a packet of data containing a png image with t
 there are decoy files in the pcap, and it isn't explicitly shown to be a pcap.
 
 flag: jctf{CorrectUSB14}
-```
+```
+
+--- 
+
+## Challenge Message 
+It seems that there is a USB attached to the PC. But what does this all mean — what is the big picture? Search through the files in the USB to find out!
+

forensics/traffic-analysis/README.md

@@ -8,3 +8,9 @@ The flag can before found in the TCP stream of the traffic on port 4444.
 
 
 Flag: jctf{8R0_D0_y0u_3v3N_Pc4P}
+
+--- 
+
+## Challenge Message 
+Crypto Woman wants to join you to find any flags in a packet capture and put them to justice. When you said you were a better superhero than her, she responded: "That is pCAP!"
+

forensics/volatile-memory-1/README.md

@@ -21,3 +21,14 @@ volatility -f memdump.mem imageinfo
 
 
 Flag: jctf{1808}
+
+--- 
+
+## Challenge Message 
+Oh no, we need to find out the PID (process ID) of notepad.exe  in order to save the city for some unknown reason! No questions asked, just do it!
+
+Use the RAM image found at:
+https://drive.google.com/drive/folders/1a7NZ5g3TR1Pn6hxsf68AsSwP-ItqaHl_?usp=sharing
+
+## Challenge Hints
+* Submit the flag in the following format: **jctf{flag}**.

forensics/volatile-memory-2/README.md

@@ -16,3 +16,18 @@ Volatility 2
 volatility -f memdump.mem imageinfo
 /opt/volatility/vol.py --profile=Win2012R2x64_18340 netscan -f memdump.mem
 ```
+
+
+--- 
+
+## Challenge Message 
+*Destination Port 4444* is the only open entrance for the remote superhero island of WeCantWaitUntilCOVIDIsOver.  
+
+In order for the *executable* boats filled with superheros to gain access to the island,  the ship *name* must be identified.
+
+Use the RAM image found at:
+https://drive.google.com/drive/folders/1a7NZ5g3TR1Pn6hxsf68AsSwP-ItqaHl_?usp=sharing
+
+## Challenge Hints
+* Submit the flag in the following format: **jctf{flag}**.
+* What is the name of the executable using destination port 4444?