Forensic
Last updated
Last updated
Another CTF another forensic challenge solved. For this challenge given the file that I have no idea what this file for which I do some research by looking at the file header starting with "FILE0", I discovered that the file provided was indeed a MFT (Master File Table) file. MFT file mainly consist of a files entry each times file gets added to NTFS file system volume. More information about the MFT file here.
So, from that information I use tool called MFT Explorer a GUI based tool which make it easier for further analysis on the MFT file. Before that, I try to use tool called strings to get any printable plain-text which found the location of flag.txt in .\Users\User\Downloads. Using MFT explorer, I go to the Downloads folder found the flag.txt but look like the flag has been somewhat encrypted.
Looking at another interesting file called ransom.py found that this is the python script that encrypt the flag.txt. The encrypt type that the script use was fernet which need a base64 key to decrypt the file that already provide in overview pane. With the key, I can finally decrypt it and see the plain-text flag.
Flag: flag{a4096cd70d8859d38cf8e7487b4cd0fa}
