picoCTF Solutions
ForensicsAdvanced

Advanced Digital Forensics

Once you can read metadata and carve files, real forensics turns into reverse engineering. These challenges make you trace encoder binaries that hide the flag inside images, decrypt TLS sessions from a leaked private key, recover data shuffled by a timestamp-seeded PRNG, and read secrets leaked through timing differences. This path assumes you are already comfortable with exiftool, Wireshark, and basic steganography.

New to this category? Start withDigital Forensicsfirst.
5 steps·13 challenges
  1. Step 01

    Steganographic Encoder Reversing

    The hardest stego challenges do not hand you a tool that just extracts the flag. Instead a binary reads flag.txt and scatters its bytes across pixel data using custom logic. You have to reverse the encoder to write the matching decoder. The Investigative Reversing series builds this skill one transformation at a time, and Invisible WORDs hides characters in whitespace a normal viewer never renders.

    Investigative Reversing 0

    picoCTF 2019

    Hard

    Investigative Reversing 1

    picoCTF 2019

    Hard

    Investigative Reversing 2

    picoCTF 2019

    Hard

    Invisible WORDs

    picoCTF 2023

    Hard
  2. Step 02

    Decrypting Captured Traffic

    Packet captures are not always plaintext. When a session is TLS-encrypted, you need the server's private key to decrypt it inside Wireshark before you can read the HTTP exchange. The WebNet challenges give you the key and the capture and ask you to reconstruct the conversation hiding the flag.

    WebNet0

    picoCTF 2019

    Hard

    WebNet1

    picoCTF 2019

    Hard
  3. Step 03

    Custom Encoding Schemes

    Some artifacts are passed through a homegrown encoder with multiple transformation passes before being written out. There is no off-the-shelf decoder. You read the encoder logic, understand each pass, and invert it. These two challenges escalate from a single transform to a layered multi-pass scheme.

    investigation_encoded_1

    picoCTF 2019

    Hard

    investigation_encoded_2

    picoCTF 2019

    Hard
  4. Step 04

    Timing and Statistical Side-Channels

    Sometimes the data is not hidden in a file at all but leaks through behavior. SideChannel recovers a PIN because each correct digit makes the checker take measurably longer, and scrambled-bytes recovers an image because UDP packet timestamps seeded the shuffle PRNG. This is where forensics meets cryptographic side-channel analysis.

    SideChannel

    picoCTF 2022

    Hard

    scrambled-bytes

    picoMini by redpwn

    Hard
  5. Step 05

    Deep Multi-Layer Investigations

    The capstone challenges layer everything: disk images with IRC logs and slack-space data, steghide-protected bitmaps, golden-ratio-base encoding, and nested file carving. Solving them means orchestrating the entire forensics toolkit in the right order, exactly like a real incident-response investigation.

    B1g_Mac

    picoCTF 2019

    Hard

    Very very very Hidden

    picoCTF 2021

    Hard

    UnforgottenBits

    picoCTF 2023

    Hard
All guided paths