BlackHat MEA CTF Qualifications 2024

Forensics writeup

أحمد ناصر

3 min readSep 2, 2024

Hello my friends this is a simple walkthrough about the 2 forensics challenge I solved in this competition

1- Artifact (Easy)

we was provided with single file (registry hive) so i open it using registry explorer :

since he asked about tool execution , there are some usefull registry values like AppCompatCache

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache


AppCompatCache refers to a Windows feature related to application compatibility. It's a cache used by Windows to store information about recently executed applications. This cache is maintained by the Windows Compatibility Manager and is often referred to as the Shim Cache. It's primarily used by the operating system to ensure compatibility of applications with different versions of Windows.

In forensics, the AppCompatCache is valuable because it can provide a list of executed applications, including information such as file paths and timestamps of when the applications were first or last executed. This can be critical in investigations where you need to establish a timeline of events on a system.

so there are many tools to parse AppCompatCache but i used EricZimmerman/AppCompatCacheParser :

after i opened the csv file, i found the malicious tool

DeadPotato is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges.

the flag

BHFlagY{DeadPotato-NET4.exe_09/08/2024_22:42:13}

2-NotFS (Medium)

we was provided whis “.img” file named (chall.img) , so i tried to mount it but it was corrupted :

First i used Autopsy — Digital Forensics and FTK Imager to extract any data from this img file but they only 6 WEBP images ,which contained no useful information.