Happy to share with you my writeup for solving 4 DFIR challenges out of 5 (last chall has 0 solves💀) in CAT Reloaded CTF — CATF 2025.

You can read this writeup on my GitBook account Link

Challenge 1 “Index of Secrets”:

from the challenge description, we need to fetch windows search database which resides in the following path:
“C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb”
“Windows.edb” is a database file used by the Windows Search service to
store its index of your files, emails, and other content, allowing for faster searches.

we need to download “Win Search DB Analyzer” from this link to be able to open “Windows.edb” file, locate windows.edb and open it

a little walk around the files, we will find the “flag.txt.txt” with absolute path = “C:\Users\wh1pl4sh\Desktop\flag.txt.txt”

CATF{ESE_DB_F0r3ns1cs}

Challenge 2 “Loser”:

we need to investigate the disk, trying to find any interesting log file that can lead us to that game crack.

while walking around, found these 3 files in the following path : “C\Windows\AppCompat\pca”

Program Compatibility Assistant “Pca” (a Windows feature that monitors applications for issues like crashes, compatibility problems, or suspicious behavior).

PcaAppLaunchDic.txt specifically recording application paths and their last execution times.

PcaGeneralDb0.txt and PcaGeneralDb1.txt: These files store more general data related to the PCA's operation, with new files created as needed.

So, let’s dig deeper into them, trying to find something catchy.

After a lot of scrolling and scrolling here are my findings:

now we need to construct the correct flag from this flag example:

Flag Example: CATF{X:\Users\blabla\blabla.exe_N_YYYY-MM-DD HH:MM:SS.sss}

full path → “C:\Users\t0orf3n\AppData\Local\Temp\GreenHell.crack.exe”

run status → “3” (PcaGeneralDb0.txt)

last time of execution → “2025-07-12 13:34:17.726” (PcaAppLaunchDic.txt)

CATF{C:\Users\t0orf3n\AppData\Local\Temp\GreenHell.crack.exe_3_2025-07-12 13:34:17.726}

Challenge 3 “Dead Icons Speak”:

from the description he said “an icon rendered into the depths of a forgotten cache”

so we need to point directly to Windows icon/thumbnail cache.

so need to download thumbcache viewer via this link to open icons/thumbnails cached databases, which can be found in this path:
C:\Users\<user>\AppData\Local\Microsoft\Windows\Explorer\iconcache_xx.db

C:\Users\<user>\AppData\Local\Microsoft\Windows\Explorer\thumbcache_x.db

The description said “an icon rendered” , so focus on any “iconcache_xxx.db” files only!!
(because there’s a fake flag in a thumbcache file “thumbcache_256.db”)

that’s a fake flag, so let’s open all “iconcache_xxx.db” files to find the correct flag.

Now we got the second part of the full flag.

Let’s open the hard drive content on FTK Imager, to get the malicious exe file that wasn’t logged , wasn’t scanned, and it didn’t survive.

the only log file i found is MPLog-20250704-153812.log file, which is the “Microsoft Protection Log used by Windows Defender for security event analysis.” here’s the full path of the log file:

C:\All Users\Microsoft\Windows Defender\Support\MPLog-20250704-153812.log

in FTK Imager, search for any “.exe” file, and see if there’s anything catchy:

we can view that there’s a file called “flagstealer.exe” on wh1pl4sh’s desktop.

Now we got the full flag correctly

CATF{flagstealer.exe:thumbn41l_pwn}

Challenge 4 “Erased Traces”:

The easy yet the difficult Challenge

Solving this challenge almost drove me crazy. opening the hard image on FTK Imager, we can easily detect 4 deleted files that need to be recovered. (hard image was too small, so finding these deleted files wasn’t challenging)

Now we need to do file carving on the disk, to restore files correctly.

Here’s all tools i used that didn’t work properly to recover the deleted files correctly:

1. photorec
2. scalpel
3. winfr (Windows File Recovery)
4. MyRecover
5. recuva
6. etc…

i was so close to giving up.

i know that recuva is almost the best tool to recover deleted files (as i always use it personally). file was irrecoverable as you can see, and i tried to recover them, but i got 4 files full of null bytes🫠

NOTE: most tools need the image disk to be mounted to do file carving correctly, so we’ll use Arsenal Image Mounter to mount that image “download link”, just a few easy clicks to mount the image file.

before giving up, I tried to see if there is a powerful tool instead of “recuva”, or “recuva professional”, so i found this amazing reddit post that answered my question. “link”

just download Disk Drill from this link, we can attach the disk image

Search for lost data → Universal Scan, “after scan finished” → review found items

check yes on “hide duplicates”

check 4 deleted files and recover them (CAT1, CAT2, CAT3, CAT4)

hop on HxD “download link”, to check if file data still null or not🫠

FINALLY, PDF magic bytes found in CAT1!!

Now let’s view last hex values for CAT4 file:

Now we can see that CAT1 has first magic bytes for a PDF file
and CAT4 has EOF marker for (End Of File), now we know that all 4 files are actually one PDF file, but divided into 4 files.

construct them easily using very simple piece of powershell code:

Get-Content CAT1, CAT2, CAT3, CAT4 -Encoding Byte -ReadCount 0 | Set-Content combined.pdf -Encoding Byte

now we can open the final PDF file to get the flag:

CATF{whip1@$h_iz_da_b3$t_m0v13_3va!}