ARPCON 2020 Forensics and Misc Challenge Write-up

5 min readOct 12, 2020

Hello guys

I hope you liked the CTF and the virtual hacking conference.

I come directly to the point “ सीधी बात नो बकवास ”

Section : Forensics

1. Artifacts

description of this challenge : Here forensics experts got some artifacts of malware software (don’t worry file is not malware)
You need to find physical address and find this malware software folder path (not full path)

Flag format: arpcon{software/file/file.exe}

Here is a file : Ljones-musicfile.mp4 , it’s a shortcut file and you need to find physical address ….

could you directly parse the shortcut file ??? don’t do that , it’s a shortcut file of some video and you should be parse with .lnk

LEcmd Lnk is Explorer Command line edition. It’s is a tool to decode all available information contained in shortcut files found on Windows operating systems.

Command : LECmd.exe -f “D:\Computer forensic\tools\Ljones-musicfile.mp4.lnk” — all and you will got lot’s of details

(LECmd.exe and your file must be in same folder)

using this MAC Address: d0:50:99:82:33:6e address open the zip file

then you got

.pf extension is prefetch . use Prefetch parser(PECmd.exe)

The goal of PECmd (I think) was to provide a reliable, Windows-based prefetch parser that display as much data as could be squeezed out of the files.


Blogger | Security Researcher | Digital forensic analyst | Twitter — @mrunal110