Cyprus CyberSecurity Challenge 2018: L3ave no Flag behind#MainFlag

Tags: forensics

Forensics?! A category where my knowledge is very limited. But now was the time to finally face it.

From the description I know that I have to deal with NTFS image. So before I started with the challenge I made a little bit of research and I ended up with Autopsy. Autopsy is the premier end-to-end open source digital forensics platform.

In the next section I will show you how I configured the Autopsy and was able to extract the deleted file.

Description

"Our team has acquired forensic images of 2 devices belonging to a suspect. You have been tasked to perform a forensic investigation and discover the 3 Flags hidden within them. The flags are of the format CTF{long_phrase} and each carries a number of points. Submit any flags that you discover to receive the points and increase your score. Download the images from the following location: https://www.dropbox.com/s/hqdh3yp5gbdd9a3/L3ave_no_Flag_behind.zip The first flag for this challenge is found where files go to be deleted in the NTFS image. Paste the flag below"

Solution

First we started by setting up the Autopsy to be ready to load the NTFS image.

Then we loaded the NTFS image.

At this point everything was set up to start our investigation. From the description we know that the first flag for this challenge is found where files go to be deleted in the NTFS image.

So I started to navigate into the Recycle bin.

And, as expected, the flag was in Recycle bin at jpg image.

CTF{Yippie_Ki_Yay_MTHFR}

Conclusion

It was a very easy challenge and another 100 points had been achieved.

Usefullinks

Loading Images and File Recovery with Autopsy
Autopsy

Copyright © IspiraDio 2018