HackTheBox

Seized | HTB Forensics (Medium)

30 December 2025 | 2 min read | justruss.tech

Seized is a Medium-rated HackTheBox forensics challenge involving a Windows disk image where data has been exfiltrated from a corporate workstation. The challenge tests MFT analysis, file carving, and the ability to not get distracted by a deliberate decoy.

Initial triage

mmls seized.img
sudo mount -o ro,loop,offset=$((512*2048)) seized.img /mnt/seized

find /mnt/seized/Users -newer /mnt/seized/Windows/System32/ntoskrnl.exe \
  -not -path "*/AppData/Local/Temp/Low/*" 2>/dev/null | sort

Browser history

cp "/mnt/seized/Users/jsmith/AppData/Local/Google/Chrome/User Data/Default/History" /tmp/

sqlite3 /tmp/History "
  SELECT datetime(last_visit_time/1000000-11644473600, 'unixepoch') as t, url
  FROM urls WHERE last_visit_time > 0 ORDER BY t DESC LIMIT 30;"

# Returns:
# 2023-09-18 23:41  https://www.dropbox.com/upload
# 2023-09-18 23:38  https://file.io/
# 2023-09-18 23:22  https://pastebin.com/api/api_post

MFT analysis for deleted files

sudo cp "/mnt/seized/\$MFT" /tmp/mft_raw

pip install analyzeMFT
analyzeMFT.py -f /tmp/mft_raw -o /tmp/mft.csv

grep "2023-09-18 23:[2-4]" /tmp/mft.csv | grep "\.zip"
# Returns entries for staging_package_final.zip created at 23:35
# Status: deleted, parent path C:\Users\jsmith\AppData\Local\Temp

Carving from unallocated space

sudo foremost -t zip -i seized.img -o /tmp/carved/

ls -lh /tmp/carved/zip/
# 00000000.zip  2.3M
# 00001234.zip  847K

unzip -l /tmp/carved/zip/00001234.zip
# Q3_financials.xlsx
# customer_database_export.csv
# flag.txt

The decoy

The obvious staging archives on the desktop were password-protected. Cracking with rockyou took about 20 seconds and the archives contained nothing useful. They were placed there deliberately to waste time. The real exfil package was in Temp, had been deleted, and required MFT analysis and file carving to recover.

The tell that the desktop archives were decoys: both were created at exactly the same second. Files staged manually would have slightly different creation times as each file was compressed and added. Identical creation timestamps on multiple archive files is worth noting.

What made this Medium rather than Easy

The MFT recovery step is what separates Easy from Medium here. Without knowing that deleted files leave residue in the MFT and in unallocated clusters, you hit a dead end after finding the staging directory empty. Knowing that deletion does not mean gone is a core DFIR concept and this challenge tests it directly.

// related posts

HackTheBox
Lockpick 3.0 | HTB Forensics (Hard)
3 Feb 2026
 HackTheBox
Obscure | HTB Forensics (Easy)
2 Sep 2025
 HackTheBox
Intentions | HTB Forensics (Hard)
14 Oct 2025
 HackTheBox
Reminiscent | HTB Forensics (Easy)
26 Aug 2025