MoTW
Home >
Cyber Defense CTF > Forensics
Back <> Next
NOTE - The resources needed for this challenge are on the Cyber Defense CTF Triage Workstation VM on our hosted platform.
Find out where the file forest_stream.jpg was downloaded from on the Triage Workstation and you’ll have your flag!
For this challenge, we are directed to the Cyber Defense CTF Triage Workstation hosted vm.
We can try to look at some data in the photo, but this does not result in anything useful. Instead, we can use the Zone.Identifier alternate data stream if we open a powershell window in the Downloads folder:
Get-Content -Path ".\forest_stream.jpg" -Stream Zone.Identifier
All that’s left to do is url decode and submit the flag!
