forensicshard
The Trilogy of Death Volume III: The Poisoned Apple
srdnlen
Task: APFS disk image with 500,000 identical key files, one needed to decrypt flag (PBKDF2 140M iterations makes bruteforce impossible). Solution: Detected anomalous file via APFS inode metadata (write_generation_counter, total_bytes_written, mtime vs btime), recovered original key from freed block using APFS Copy-On-Write forensics.
$ ls tags/ techniques/
disk_imagepbkdf2data_recoveryhmacapfsdmgmacoscopy_on_writecowfseventsdinode_metadatabtreefreed_blocks
apfs_cow_recoveryapfs_inode_anomaly_detectionfsevents_log_analysisraw_disk_block_recoverybtree_node_scanningfreed_block_data_extraction
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Create a free account with GitHub, then upgrade to Pro.
$ssh [email protected]