forensicsProhard
The Trilogy of Death Volume III: The Poisoned Apple
srdnlen
Task: APFS disk image with 500,000 identical key files, one needed to decrypt flag (PBKDF2 140M iterations makes bruteforce impossible). Solution: Detected anomalous file via APFS inode metadata (write_generation_counter, total_bytes_written, mtime vs btime), recovered original key from freed block using APFS Copy-On-Write forensics.
$ ls tags/ techniques/
disk_imagepbkdf2data_recoveryhmacapfsdmgmacoscopy_on_writecowfseventsdinode_metadatabtreefreed_blocks
apfs_cow_recoveryapfs_inode_anomaly_detectionfsevents_log_analysisraw_disk_block_recoverybtree_node_scanningfreed_block_data_extraction
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [forensics][Pro]The Trilogy of Death Volume I: Corel— srdnlen
- [forensics][Pro]Brute_force— bug-makers
- [reverse][Pro]another-onion— DiceCTF 2026 Quals
- [mobile][free]Protected— HackTheBox
- [forensics][free]Lavender— alfactf