Monday, 23:47.
A teammate drops a single file in our CTF channel:

security-footage-1648933966395.pcap

My pulse spikes.
No login creds, no docs, just 44 MB of raw network noise.
Perfect.

Cold Start, Hot Trail

Most people would double-click.
I right-click and drop straight into the terminal.
No GUI distractions. Just me, the packets, and the weight of silence in the room.
One tool comes to mind — a relic from the forensic underworld.

The First Cut

This isn’t your average PCAP. I’m betting on MJPEG.
IP cameras are chatty. They love to spit out JPEGs one frame at a time.

So I go in clean:

foremost -i security-footage-1648933966395.pcap -o extracted/

Foremost version 1.5.7
Start: Tue May 13 05:01:07 2025
File: security-footage-1648933966395.pcap

jpg:= 541

I crack open the extracted/jpeg/ folder.

It’s all there — the ghosts of a security feed, flickering like memories pulled from a coma.

One frame at a time.
I write a quick loop to preview them, faster than flipping pages in a flipbook:

for img in *.jpg; do feh "$img"; sleep 0.1; done

The images play.
Motion returns.
A shape. A shadow. A flicker of —

Wait.

Frame 229.
Dead center of the shot.

A whiteboard.
And on it — scrawled in marker like it was meant to be found by someone just like me:

flag{5ebf457ea66*********************}

🎯 Challenge Complete.
🖤 Forensics Forever.