2014 CSAW Qualifying CTF - Forensics 200 A Written by: Justin G. For this challenge knowing out to move about in Wireshark is pretty vital. After opening up traffic-5.pcap the first thing I did was filter for ftp traffic. After filtering I see that there was a successful login using the username forensics, so I felt like I was on the right track. It then appears that a file called /files/file.zip was downloaded. I think I want that file. After clearing my filter I right clicked on one of the FTP-DATA packets and followed the TCP Stream. Then I saved off that stream and called it file.zip. After unzipping the file I had a file called flag.png. I guess I should probably open it.