Forem: Shirley Mali

Symmetric vs Asymmetric Encryption — Lessons from the Field

Shirley Mali — Mon, 28 Jul 2025 20:54:50 +0000

One of the trickiest questions in my Security+ exam wasn’t about tools or firewalls — it was about cryptography. And honestly? It caught me off guard.

Let’s talk about two foundational pillars of encryption: symmetric and asymmetric cryptography — and why understanding them matters far beyond exams.

🔁 Symmetric Encryption: The One-Key Wonder

Symmetric encryption uses a single key to both encrypt and decrypt data.

🧠 How It Works:

Sender encrypts the message using a shared key.
Receiver uses the same key to decrypt it.

Think of it like a house key — both people need an identical copy to get in.

✅ Use Cases:

Encrypting stored data (e.g., full-disk encryption)
VPN tunnels (often use AES)
Secure backups

💡 Common Algorithms:

AES (Advanced Encryption Standard)
DES (Data Encryption Standard)
Blowfish

⚠️ Downsides:

You need to securely share the key beforehand.
If someone intercepts the key, game over.

🔐 Asymmetric Encryption: The Key Pair Dance

Asymmetric encryption uses two keys — a public key for encryption and a private key for decryption.

🧠 How It Works:

Sender encrypts data using recipient’s public key.
Only the private key can decrypt it.

Think of it like a mailbox — anyone can drop in a message (public key), but only the owner can unlock it (private key).

✅ Use Cases:

Secure email (e.g., PGP, GPG)
Digital signatures
TLS/SSL handshakes
SSH authentication

💡 Common Algorithms:

RSA
ECC (Elliptic Curve Cryptography)
DSA

⚠️ Downsides:

Slower than symmetric encryption
More computational overhead

🧪 A Real-World Scenario: Ransomware Simulation

During a lab project simulating a ransomware attack, I used symmetric AES to encrypt a victim's files — fast and brutal.

But to safely share the decryption key with the "SOC team," I wrapped it in RSA public key encryption.

👉 Hybrid encryption is common:

Symmetric key encrypts the data (fast)
Asymmetric key encrypts the symmetric key (secure)

🔏 Bonus: Digital Signatures

Another brilliant application of asymmetric crypto is digital signatures. Here’s how:

You hash the message.
You sign the hash using your private key.
The recipient uses your public key to verify the signature.

✅ Ensures authenticity, integrity, and non-repudiation.

🛡️ Lessons for Every Cybersecurity Learner

Encryption isn’t just “security fluff” — it’s math that protects people and systems.
You don’t have to be a cryptographer to understand how to apply it effectively.
Think like an attacker: If you don’t know how your crypto works, they will.

🗨️ What About You?

Have you used encryption in your own projects?
Got tripped up by crypto concepts during an exam or job interview?
Curious how to use asymmetric keys in tools like GPG or OpenSSL?

Let’s chat below 💬 or connect on LinkedIn!

🧠 Want to Learn More?

📌 I’m currently exploring SOC analyst workflows and building cyber labs for practice. If you're doing something similar or hiring — let’s talk!

Symmetric vs Asymmetric Encryption — Lessons from the Field

Shirley Mali — Mon, 28 Jul 2025 20:54:50 +0000

One of the trickiest questions in my Security+ exam wasn’t about tools or firewalls — it was about cryptography. And honestly? It caught me off guard.

Let’s talk about two foundational pillars of encryption: symmetric and asymmetric cryptography — and why understanding them matters far beyond exams.

🔁 Symmetric Encryption: The One-Key Wonder

Symmetric encryption uses a single key to both encrypt and decrypt data.

🧠 How It Works:

Sender encrypts the message using a shared key.
Receiver uses the same key to decrypt it.

Think of it like a house key — both people need an identical copy to get in.

✅ Use Cases:

Encrypting stored data (e.g., full-disk encryption)
VPN tunnels (often use AES)
Secure backups

💡 Common Algorithms:

AES (Advanced Encryption Standard)
DES (Data Encryption Standard)
Blowfish

⚠️ Downsides:

You need to securely share the key beforehand.
If someone intercepts the key, game over.

🔐 Asymmetric Encryption: The Key Pair Dance

Asymmetric encryption uses two keys — a public key for encryption and a private key for decryption.

🧠 How It Works:

Sender encrypts data using recipient’s public key.
Only the private key can decrypt it.

Think of it like a mailbox — anyone can drop in a message (public key), but only the owner can unlock it (private key).

✅ Use Cases:

Secure email (e.g., PGP, GPG)
Digital signatures
TLS/SSL handshakes
SSH authentication

💡 Common Algorithms:

RSA
ECC (Elliptic Curve Cryptography)
DSA

⚠️ Downsides:

Slower than symmetric encryption
More computational overhead

🧪 A Real-World Scenario: Ransomware Simulation

During a lab project simulating a ransomware attack, I used symmetric AES to encrypt a victim's files — fast and brutal.

But to safely share the decryption key with the "SOC team," I wrapped it in RSA public key encryption.

👉 Hybrid encryption is common:

Symmetric key encrypts the data (fast)
Asymmetric key encrypts the symmetric key (secure)

🔏 Bonus: Digital Signatures

Another brilliant application of asymmetric crypto is digital signatures. Here’s how:

You hash the message.
You sign the hash using your private key.
The recipient uses your public key to verify the signature.

✅ Ensures authenticity, integrity, and non-repudiation.

🛡️ Lessons for Every Cybersecurity Learner

Encryption isn’t just “security fluff” — it’s math that protects people and systems.
You don’t have to be a cryptographer to understand how to apply it effectively.
Think like an attacker: If you don’t know how your crypto works, they will.

🗨️ What About You?

Have you used encryption in your own projects?
Got tripped up by crypto concepts during an exam or job interview?
Curious how to use asymmetric keys in tools like GPG or OpenSSL?

Let’s chat below 💬 or connect on LinkedIn!

🧠 Want to Learn More?

📌 I’m currently exploring SOC analyst workflows and building cyber labs for practice. If you're doing something similar or hiring — let’s talk!

Recovering a Flag from an RDP Cache

Shirley Mali — Wed, 09 Jul 2025 14:47:37 +0000

Description: Learn how I solved the Job Interview challenge on Root-Me by converting an EnCase image, detecting hidden archives, and uncovering sensitive RDP cache screenshots using open-source tools.

🧠 Root-Me Forensics Challenge: Job Interview

The “Job Interview” challenge from Root-Me's Forensic section is an exciting test of your ability to work with forensic images and uncover hidden artifacts.

In this walkthrough, I’ll show how I:

Extracted a hidden archive from a forensic .E01 image
Identified and unpacked an RDP bitmap cache
Analyzed screenshots for sensitive information
Ultimately recovered the flag

🧰 Tools I Used

Tool	Use Case
`ewfexport`	Convert EnCase `.E01` image to `.raw`
`file`, `tar`	Identify file types and extract archives
`bmc-tools`	Decode `.bmc` RDP bitmap cache
`eog`	View extracted `.bmp` screenshots
`binwalk` (optional)	Analyze file internals for signatures

🪪 Step 1: Convert .E01 to .raw

The challenge provides an EnCase image file: image_forensic.e01. This needs to be converted into a raw binary format.

Use the following command:

ewfexport image_forensic

When prompted, input the following:

Export format: raw
Target path and filename: image
Segment size: (just press Enter for default)

This will generate:

image.raw

⚠️ Don't add the .e01 again — the tool detects it automatically.

🔍 Step 2: Investigate the File Type

Now, don’t just assume that image.raw is a true raw disk image. Use the file command:

file image.raw

Output:

image.raw: POSIX tar archive (GNU)

🎯 It’s not a disk image — it’s a .tar archive disguised with a .raw extension.

📦 Step 3: Extract the Archive

Unpack the tar file:

tar -xvf image.raw

This extracts:

bcache24.bmc

🧠 Step 4: What Is a .bmc File?

.bmc files are bitmap cache files used by Windows Remote Desktop Protocol (RDP).

These files contain screen fragments cached during an RDP session. They can reveal:

Screenshots of documents
Passwords or flags displayed
Session activity logs

Since this format is not natively supported, we’ll use an open-source Python tool called bmc-tools.

🛠️ Step 5: Extract .bmp Screenshots Using bmc-tools

5.1 Clone the Repository

git clone https://github.com/ANSSI-FR/bmc-tools.git
cd bmc-tools

5.2 Create Output Directory

mkdir ../bcache24bmc

5.3 Run the Tool

./bmc-tools.py -s ../bcache24.bmc -d ../bcache24bmc/ -v

-s:Source .bmc file
-d: Output directory for .bmp files
-v: Verbose mode

This creates .bmp images in the output folder.

🖼️ Step 6: Review the Extracted Screenshots

To browse the extracted screenshots:

eog ../bcache24bmc/*.bmp

Manually inspecting the images reveals three screenshots:

- Yeah (RdP)

this is the (l3av3s_Tra)
flag (c3s)_

🏁 Final Flag

RdP_l3av3s_Trac3S

🎉 This is the flag displayed in three of the RDP session screenshots!

🧠 Forensic Takeaways

Always use file to verify content types
Don't trust extensions — .raw can be .tar
RDP .bmc files can leak visual data from remote sessions
Screenshots are evidence, even if they’re fragments
Open-source tools like bmc-tools are vital in DFIR work

📋 Summary of Commands

Step 1: Convert E01 to raw

ewfexport image_forensic

Step 2: Inspect the file type

file image.raw

Step 3: Extract tar archive

tar -xvf image.raw

Step 4: Clone BMC tools and set up

git clone https://github.com/ANSSI-FR/bmc-tools.git
cd bmc-tools
mkdir ../bcache24bmc

Step 5: Decode bitmap cache

./bmc-tools.py -s ../bcache24.bmc -d ../bcache24bmc/ -v

Step 6: View extracted images

eog ../bcache24bmc/*.bmp

🙌 Let’s Connect
If this write-up helped or inspired you:

💻 GitHub:
🔗 LinkedIn:

✍️ Follow me on Dev.to for more CTF and DFIR content

Thanks for reading — and happy hunting! 🧩🕵️‍♀️

🕵🏽‍♀️ Uncovering the Unseen: My Digital Forensics Journey with Deleted File Recovery

Shirley Mali — Tue, 08 Jul 2025 11:48:02 +0000

🌐Introduction

In the ever-evolving world of cybersecurity, one truth stands strong: attackers will try to hide their tracks — often by deleting files, logs, or data traces.

But deletion doesn’t mean destruction.

That's where digital forensics steps in. And in my latest project, I dove headfirst into a hands-on recovery scenario that challenged me to retrieve deleted files from a compressed archive. The result? A deeper appreciation — and, frankly, an obsession — with the art of uncovering what isn't meant to be found.

This post walks you through the full process, tools used, the learning outcomes, and why this kind of project is so critical in modern cybersecurity.

🚀 Background: From Burnout to Obsession
Since March 2025, I took a break from being active to focus on two big things:

🧠 Studying for the CompTIA CySA+ certification
🛌 Recovering from a bout of sickness that forced me to slow down

That downtime turned into something powerful: I began immersing myself in digital forensics — and this project marks the beginning of my practical journey.

💼 The Challenge: Recovering a Deleted File
The project was inspired by a Root Me forensics challenge, where you're given a .gz file — and that's it.

The objective?
➡️ Recover a deleted file that was hidden inside.

Sounds simple?

Not when you realize:

The original file was compressed
Then renamed
And the actual content inside had been deleted
You don’t know the file type, structure, or extension

This challenge forced me to think like a forensic investigator: follow the breadcrumbs, verify every assumption, and carve through digital noise.

🧰 Tools Used

Tool	Purpose
`gunzip`	Decompress the `.gz` archive
`mv`	Rename and prepare the archive for extraction
`tar`	Extract archived files
`file`	Identify file types
Foremost	File carving: recover deleted files based on known signatures

🛠️ Step-by-Step Walkthrough

1️⃣ Decompress the .gz Archive

gunzip ch39.gz

This gave me a single file named ch39, with no extension. That hinted it might be a tarball — just renamed.

2️⃣ Rename and Extract the Archive

mv ch39 ch39.tar
tar -xvf ch39.tar

This revealed a single suspicious file. I ran file on it:

file usb.image

But even this didn’t give me clarity. That’s when I turned to Foremost.

3️⃣ File Carving with Foremost

Foremost is a digital forensics tool that searches raw data for file headers and footers to reconstruct files — even if they’re “deleted.”

foremost -i usb.image -o output/

This carved out audit.txt & png. I then opened each recovered file, cross-checked the structure and content, and finally uncovered the flagged file — the one that had been deliberately deleted and hidden.

💡 Lessons Learned

File carving is essential when metadata is gone or tampered with.
Command-line forensics is powerful and foundational for incident response.
Even simple challenges can simulate real-world attacker behavior (e.g., renaming, compressing, deleting).
Foremost is a must-know tool for any digital forensics beginner.

_Why Digital Forensics Matters Now More Than Ever

With advanced attackers and insider threats rising, digital forensics plays a critical role in:

🔓 Incident response
📁 Legal & compliance investigations
🔍 Threat hunting
🔄 Root cause analysis

The ability to recover deleted or obfuscated files often makes the difference between knowing how a breach occurred — or staying in the dark.

💙 My Growing Obsession
This project reminded me that digital forensics is more than a skill — it's a mindset.

🕵🏽‍♀️ It’s about thinking like an investigator.
🧠 It’s about asking “what’s missing?”
🧩 It’s about piecing together broken data until the story becomes clear.

As someone pursuing a career in blue teaming and security operations, this project confirmed that forensics is where my passion lies — and where I’m investing even more time going forward.

📂 Full Project on GitHub

You can find the complete project (with detailed bash commands, recovery steps, and file carving output) here:

👉 Deleted File Recovery GitHub Repo

🗣️ Let’s Connect
If you’re:

Exploring cybersecurity
Studying for CySA+ or Security+
Interested in digital forensics and incident response

…then let’s connect here on Dev.to, or on LinkedIn. I’d love to exchange insights and support each other’s growth.