BYUCTF 2024 - Forensic

Hi everyone, I just joined BYUCTF two days ago and till now I feel very happy because I solved 5/6 forensic challenges here. Below is my writeup, let’s go:

Who Am I

For this challenge, they gave me a docx file, and our mission is finding author of this file. Very easy, just navigate to File -> Info, you will see author information

Flag: byuctf{Ryan Sketchy}

Advanced Steak

We have a .001 file and a decryptor tool written by Python to decrypt .cow file, and we need to find the secret inside .001 file. First, I need to know how a .cow file works:

I used xxd to see hex value inside the file and I realised its signature is 1337beef and the end is 4d6f6f6f (Mooo):

Moreover, I cannot import .001 file to FTK imager, from here I was stuck for a long time, and then an idea in my mind appeared: “I wonder if there’s any .cow file inside it?”, so I opened it in hexedit, and searched for 1337beef and 4d6f6f6f. Fortunately, it had:

From here I extracted it using my friend (sorry for that 😂😂😂) and used cow decryptor tool to decrypt it, save it into a file, open it and enjoy your result:

Not again! I’ve been BitLockered out of my own computer!

The sample is a memory file and we need to find FVEK which is used to encrypt hard-drive in Bitlocker. Fortunately, I found a plugin for solving it. Now everything is easy now, just follow the guideline and enjoy your result:

Not sure I’ll recover from this:

We need to find answers for security questions, and if you learn about Windows OS, you will know that these questions are stored in SAM.

• First thing to do is open .vhdx file in Autopsy (or you can mount in Windows directly):

• Second, navigate to C:\Windows\System32\config\

• Third, export SAM to our machine and import it to Registry Explorer:

Result: {“version”:1,”questions”:[{“question”:”What was your first pet’s name?”,”answer”:”jimothy”},{“question”:”What’s the name of the city where your parents met?”,”answer”:”Idaho Falls”},{“question”:”What’s the first name of your oldest cousin?”,”answer”:”Zephanias”}]}

Flag: byuctf{jimothy_Idaho Falls_Zephanias}

Did nobody see:

They gave us a Windows backup, and it contains prefetch files, windows event log file, some database files… At first I saw many log files, and I think I had to look at it to find the answer, but after about 2 hours, I didn’t get anything. From here I was stuck, very stuck, and fortunately, my “bi quan” brother gave me a hint:

The answer was not in log file, so where I found now, and I remembered that one thing I didn’t notice: SAM, SYSTEM and SECURITY. From here I use ChatGPT to learn about them and I really found the answer:

Not waiting, I imported SYSTEM file to Registry Explorer, followed the instruction and I found the answer:

Flag: byuctf{162.252.172.57}

The worst challenge ever:

As the name, it’s a f*cking guessy challenge, and I SPENT A NIGHT to solve it but I could not get anything. I was going to write 4 challenges solutions instead of 5 as u can see, but fortunately, my Malaysian bro gave me the solution for it 😂😂😂. When I saw the solution, it’s more guessy than my thinking 😂😂😂. Ok so it will work like this:

• Open it by hexedit, you will see that there’s a space that only contains 0s and 1s:

• The idea is, delete two strings at the first and the end, consider all 01 as separators, and the problem is: split the string 010101,… which use 01 as comma, caculate the length of each string and chr() it:

  • Extract data:

  

  • Write a Python script to decrypt:

  with open("C:\\Users\\Admin\\Downloads\\download (2).dat", 'r') as file:
    arr = file.read().split(" 01 ")
  
  for i in arr:
      print(chr(len(i.split())), end='')
  

  

Guessy, right? Btw, this is all challenges I solved in BYUCTF. In general, it’s very fun and interesting, and I learnt many things from it. Thank you for reading, see you next time!