# Season V, US Cyber Open 2025 This writeup covers digital forensics challenges solved as part of a CTF training under the US Cyber Games initiative. Each challenge explored different aspects of filesystem analysis, file recovery, artifact investigation, and document decryption. Below is a detailed walkthrough of each challenge, the techniques used, and how the flags were successfully retrieved. # 1.Deleted You were recovering a deleted file needed by the US Cyber Games admins for Season 5. The file was created by a graphic artist and needed by Brad and Jessica. Given the file,lets check its type:  The image provided is named `SVUSCG.dd-001.001`, identified as an NTFS disk image. Now lets mount the image into our local file system:  The image contains various types of files and folders.  After inspecting the contents, no relevant user files were immediately visible. Observing this, I decided to carve deleted files by type using foremost: `foremost -i SVUSCG.dd-001.001 -o recovered`  The deleted files was successfull recovered.  The challenge description mentioned that the file was created by a graphic artist, so I directly explored the `jpg` and `png` directories.Starting with `jpg`:  Upon visually inspecting the recovered images, the last one contained the flag.  Finally we have got our very own flag **`SVUSCG{FILE_DELETE_2025}`** # 2.Logged One of the US Cyber Games administrators forgot their password to the FTP Server a lot of times. How many times did they forget it according to the IIS Windows log file? The flag format is **`SVUSCG{<number>}`** We are provided with a file named `ex250604.log`:  So the objective here is to count the number of failed FTP password attempts (which show as PASS with status 530 in the IIS log).By using `grep` and `wc`, We can run the following command to filter and count the relevant lines **`grep -a "PASS" ex250604.log | grep "530" | wc -l`**:  The command tells us how many times the password was entered incorrectly. Flag: **`SVUSCG{306737}`** # 3.Historical Fiction One of the US Cyber Games administrators is an avid reader and one of the coaches suggested that she gets a book to learn more about cybersecurity. They can’t remember what the title of the book or that ISBN was but if you examine their Chrome History, you can find the flag which is the book’s ISBN number. It is important to note that they won’t buy a hard cover book or a kindle edition, just the paperback one. Flag Format: **`SVUSCG{ISBN}`** We are given a compressed file named **`Google.7z`**. After extracting it:  To find the `ISBN` from the Chrome history (which is stored in an **`SQLite`** database called **History**), we need to locate the History SQLite database file inside the profile folder, likely **`Default`** Lets navigate to the directory and inspect it:  We have successfull locate the `History` database file now we can Query the URLs or titles to find book-related visits by running this command: `sqlite3 History "SELECT url, title FROM urls WHERE url LIKE '%book%' OR title LIKE '%book%' ORDER BY last_visit_time DESC LIMIT 30;" `  As we know an International Standard Book Number (ISBN) is a **`13-digit`** number, so from the output we can clearly see the ISBN Flag:**`SVUSCG{9781032818535}`** # **4.Just Look At It** A user left traces of the flag in an image that appeared clean. Required careful digging. We start by inspecting the file type:  It's a standard JPEG file,Using stegseek to scan for any embedded files or messages.  Boom!!! the password-protected file was successfully cracked, and the hidden flag.txt was extracted!  Let's now `cat`the file:  We have successfull got the flag: **`SVUSCG{l00k_4t_th1s_gr44444444444ph}`** **Thanks for following along. Until next time!**