2024 Cyber Apocalypse: Pursue The Tracks

Challenge Information

Attribute	Details
Event	2024 Cyber Apocalypse
Category	Forensics
Challenge	Pursue The Tracks
Difficulty	Easy

Pursue The Tracks provides an extracted MFT (Master File Table) from a Windows NTFS filesystem. The challenge requires parsing the MFT using tools like MFTECmd or MFT_Browser, exporting data to CSV format, and analyzing file timestamps and metadata to answer questions about file activity, deletions, and modifications.

Analysis

The challenge structure:

Artifact: z.mft file (NTFS Master File Table only)
Tool Options:
- MFTECmd: Command-line tool to convert MFT to CSV
- MFT_Browser: GUI tool for exploration
- TimelineExplorer: CSV analysis tool
Key Data: File names, timestamps, sizes, flags, entry numbers
Investigation Focus: Timeline reconstruction, deleted files, file modifications

Solution

Step 1: Extract MFT to CSV

Using MFTECmd:

MFTECmd.exe -f z.mft --csv c:\temp

This generates a CSV file with MFT entries containing:

EntryNumber
FileName
Created0x10 (Creation time from $STANDARD_INFORMATION)
LastModified0x10
LastAccessed0x10
InUse (True/False - deleted if False)
SiFlags (Hidden, System, etc.)
FileSize
And many other attributes

Step 2: Import to Analysis Tool

Open CSV in:

Excel / Google Sheets (for easy filtering)
TimelineExplorer (for advanced analysis)
Python pandas (for programmatic analysis)

Step 3: Answer Sample Questions

Q1: Which two years are files related to?

Filter the “Created0x10” or “LastModified0x10” column for unique years.

Answer: 2023,2024

Q2: What is the first file written (excluding system files)?

Filter for:

IsDirectory = False
Exclude system files
Sort by created timestamp ascending
First entry is the answer

Answer: Final_Annual_Report.xlsx

Q3: Which file was deleted?

Filter for:

InUse = False (deleted files show as False)
Find non-system deleted files

Answer: Marketing_Plan.xlsx

Q4: How many files are set to Hidden mode?

Filter for:

SiFlags = Hidden or SiFlags contains 'H'
Count results (exclude system files)

Answer: 1

Q5: Which important TXT file was created?

Filter for:

Extension = .txt
Sort by creation date
Identify the important one

Answer: credentials.txt

Q6: Which file was copied?

Filter for:

Copied = True column
This flag indicates the file was copied/duplicated

Answer: Financial_Statement_draft.xlsx

Q7: Which file was modified after creation?

Create a formula to compare Created0x10 and LastModified0x10:

=IF(TEXT(Created0x10, "mm/dd/yyyy hh:mm:ss") <> TEXT(LastModified0x10, "mm/dd/yyyy hh:mm:ss"), FileName, "")

Filter for non-empty results:

Answer: Project_Proposal.pdf

Q8: File name at record number 45?

Filter for:

EntryNumber = 45

Answer: Annual_Report.xlsx

Q9: File size at record number 40?

Filter for:

EntryNumber = 40
Read FileSize column

Answer: [file size in bytes]

Step 4: Combine Answers for Flag

Each answer is a flag component. Concatenate or submit through the challenge interface to obtain the final flag.

MFT Key Concepts

Entry Numbers

System files: 0-15 (MFT itself, root directory, etc.)
User files: 16+
Entry numbers can indicate file creation order

Timestamps

Created0x10: From $STANDARD_INFORMATION attribute
LastModified0x10: Last write time
LastAccessed0x10: Last read time
Times are in UTC (FILETIME format)

File Flags (InUse)

True: File is active
False: File has been deleted
Still recoverable from MFT until overwritten

SiFlags

Hidden: File hidden from normal directory listing
System: System file
Archive: Ready for backup
ReadOnly: Write-protected

Investigation Checklist

Key Takeaways

NTFS MFT is invaluable for forensic reconstruction
File timestamps reveal activity timeline
Deleted files remain in MFT until overwritten
File attributes provide additional context
System files should be filtered out in analysis
Entry numbers correlate with filesystem activity order
CSV export enables flexible analysis in any spreadsheet tool