Cyprus CyberSecurity Challenge 2018: L3ave no Flag behind#ExtraFlag1

Tags: forensics

This one was the extension of the previous challenge, so we didn’t need anything else except the Autopsy which we already had done.

Description

"Using the original NTFS forensic image, find and recover deleted files within the partition to get the secondary flag."

Solution

From the description we know that we need to find and recover deleted files within the partition in order to get the secondary flag.

In the previous challenge I had checked all the files in the Recycle bin but I hadn’t found anything. So the next place that came to my mind was the Orphan Files.

A .txt file was found, which I opened, and the flag appeared in front of me!

Conclusion

Another easy challenge that increased my score by 100 points!

Usefullinks

Autopsy
Orphan file