One of our client have reported that they might have been compromised and they don’t know how this happened, we have dump everything including USB traffic. Can you look at it and find out how our client got the virus in the first place?

Category: forensics

Solver: mp455


We can download a zip file. If we unpack it there is the file capture.pcapng .


This file we can open with Wireshark where we see captured USB traffic.

To handle the nearly 2000 packets we can sort them by its “length”/size.

This way we first find some hardware information that don’t seem to contain anything interesting. Also the 15 same-sized system information packets are not helpful.

But after that there is also a png file that we can identify via the “PNG” string in the header. We can export this packet as file and see that it is an image of a qr code.


If we scan it we got the flag: