BlackHat MEA CTF Qualifier 2024

NotFS — Forensics

Is this a FileSystem? Identify the file and make the necessary adjustments to solve the challenge.

Used different tools, such as Autopsy and FTK Imager. But they did not provide any useful information. Using TestDisk tool for recovering lost partitions and restoring non-booting disks.

A PNG and a text file was recovered from image. Text file was not useful but PNG was missing first byte in it’s header. So, correcting the header gave us flag.

Artifact — Forensics

During the investigation of a compromised machine, it was determined that an impersonation tool had been executed. The Digital Forensics and Incident Response (DFIR) team has provided only a specific hive for analysis. Your objective is to identify the name of the executable associated with the impersonation tool and determine the earliest suspected execution time of this executable on the affected machine. Flag format/example: BHFlag{cmd.exe_29/12/1992_22:33:13}

The provided file was a Registry Hive. To analyze its contents, I utilized the RegRipper tool, which efficiently extracts data from Windows registry files.

Upon completion of the analysis, I searched for all entries related to .exe files. During this process, I identified a suspicious file named DeadPotato-NET4.exe. Additionally, the execution date of this file was recorded, providing further insight into its activity.

This file name with time stamp and correct format (BHFlag{}) was correct flag.

Thanks.