{"id":189,"date":"2025-12-30T09:00:00","date_gmt":"2025-12-30T09:00:00","guid":{"rendered":"http:\/\/justruss.tech\/index.php\/2023\/09\/19\/seized-htb-forensics-medium\/"},"modified":"2026-05-15T10:34:55","modified_gmt":"2026-05-15T10:34:55","slug":"seized-htb-forensics-medium","status":"publish","type":"post","link":"https:\/\/justruss.tech\/index.php\/2025\/12\/30\/seized-htb-forensics-medium\/","title":{"rendered":"Seized | HTB Forensics (Medium)"},"content":{"rendered":"

Seized is a Medium-rated HackTheBox forensics challenge involving a Windows disk image where data has been exfiltrated from a corporate workstation. The challenge tests MFT analysis, file carving, and the ability to not get distracted by a deliberate decoy.<\/p>\n

Initial triage<\/h3>\n
mmls seized.img\nsudo mount -o ro,loop,offset=$((512*2048)) seized.img \/mnt\/seized\n\nfind \/mnt\/seized\/Users -newer \/mnt\/seized\/Windows\/System32\/ntoskrnl.exe \\\n  -not -path \"*\/AppData\/Local\/Temp\/Low\/*\" 2>\/dev\/null | sort<\/pre>\n
Browser history<\/h3>\n
cp \"\/mnt\/seized\/Users\/jsmith\/AppData\/Local\/Google\/Chrome\/User Data\/Default\/History\" \/tmp\/\n\nsqlite3 \/tmp\/History \"\n  SELECT datetime(last_visit_time\/1000000-11644473600, 'unixepoch') as t, url\n  FROM urls WHERE last_visit_time > 0 ORDER BY t DESC LIMIT 30;\"\n\n# Returns:\n# 2023-09-18 23:41  https:\/\/www.dropbox.com\/upload\n# 2023-09-18 23:38  https:\/\/file.io\/\n# 2023-09-18 23:22  https:\/\/pastebin.com\/api\/api_post<\/pre>\n
MFT analysis for deleted files<\/h3>\n
sudo cp \"\/mnt\/seized\/\\$MFT\" \/tmp\/mft_raw\n\npip install analyzeMFT\nanalyzeMFT.py -f \/tmp\/mft_raw -o \/tmp\/mft.csv\n\ngrep \"2023-09-18 23:[2-4]\" \/tmp\/mft.csv | grep \"\\.zip\"\n# Returns entries for staging_package_final.zip created at 23:35\n# Status: deleted, parent path C:\\Users\\jsmith\\AppData\\Local\\Temp<\/pre>\n
Carving from unallocated space<\/h3>\n
sudo foremost -t zip -i seized.img -o \/tmp\/carved\/\n\nls -lh \/tmp\/carved\/zip\/\n# 00000000.zip  2.3M\n# 00001234.zip  847K\n\nunzip -l \/tmp\/carved\/zip\/00001234.zip\n# Q3_financials.xlsx\n# customer_database_export.csv\n# flag.txt<\/pre>\n
The decoy<\/h3>\n
The obvious staging archives on the desktop were password-protected. Cracking with rockyou took about 20 seconds and the archives contained nothing useful. They were placed there deliberately to waste time. The real exfil package was in Temp, had been deleted, and required MFT analysis and file carving to recover.<\/p>\n
The tell that the desktop archives were decoys: both were created at exactly the same second. Files staged manually would have slightly different creation times as each file was compressed and added. Identical creation timestamps on multiple archive files is worth noting.<\/p>\n
What made this Medium rather than Easy<\/h3>\n
The MFT recovery step is what separates Easy from Medium here. Without knowing that deleted files leave residue in the MFT and in unallocated clusters, you hit a dead end after finding the staging directory empty. Knowing that deletion does not mean gone is a core DFIR concept and this challenge tests it directly.<\/p>\n","protected":false},"excerpt":{"rendered":"
A disk image challenge involving a Windows host used to exfiltrate data. The
\ninteresting part was figuring out which file was the payload and which was a decoy.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-189","post","type-post","status-publish","format-standard","hentry","category-hackthebox"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=189"}],"version-history":[{"count":3,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/189\/revisions"}],"predecessor-version":[{"id":261,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/189\/revisions\/261"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}