Skip to main content

Introduction to Forensics

Author(s): a_person

Last Updated: 02-13-2026

Recommended Prerequisites (click to expand)

None

Note

This article is for easy FQs as well as advice for practicing.

What are forensics questions?

Forensics Questions are questions that ask about the current system, logs of attacks, or general information that has some relationship to the current system. These can ask you anything from CVEs, using logs to find indicators of compromise, or reversing a binary. They can also include file attachments which include, but are not limited to: network captures, images, and zip files. They are usually located on the Desktop.

Why do we do forensics questions?

The skills developed through forensics are fundamental to the field of Incident Response (IR), a vital part in cybersecurity. Professionals use these techniques to investigate security breaches, understand an attacker's methods, and gather digital evidence.

What can I use for extra practice?

CTFs, practice images, and Hack the Box are great for forensics practice. Here are some websites you can use to practice them:

Practice!

Here are some example, easy forensics questions that do not require much work:

Find the CVEs fixed in Notepad++ v8.5.7

Fixed CVEs: CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166
Reference: Notepad++ v8.5.7 Release Notes

Decode the encrypted message: 5a 47 39 75 61 32 56 35 49 47 6c 7a 49 47 35 76 64 43 42 7a 61 32 6c 69 61 57 52 70

Decoded: donkey is not skibidi

You can decode it by decoding from hex, then decoding the result from Base64.

What is the publication timestamp (ISO 8601) for CVE-2025-4561?

Timestamp: 2025-05-12T06:44:29.959Z
Source:

CVE Record on GitHub

Here is an example of conducting forensics on Windows Event Logs. This was a scraped challange for a CTF. You may want to do some research if you are not familiar with them.

Click here to download the file

Find the following information: the executable file downloaded and ran that was the malware, the name of the executable that abuse an unquoted service path, the sensitive file was accessed, the command that led the attacker to find out that this existed, the registry value created to maintain persistence of the powershell script uploading user data, and the port number of the FTP server.

update.exe My.exe passwords.txt netshare SysmonAgent 2222