UnRename
Challenge Name: UnRename
Category: Forensics
Difficulty: Hard
Description: flag.txt has been renamed. Submit the original name of flag.txt as flag ICTF24{original_filename.extension}
The challenge provided an .ad1 file to us. The "a" and "d" means Access Data. A quick look up of Access Data reveals that they have a product called FTK Imager which is used to image hard drives and read image data, which is what the file given to us is. So let's open it up there!
So once you loaded FTK Imager, click on the icon shown to Add Evidence Item.
Click on Image File.
Now locate the file provided to us and select it as our data source.
Looking at the Evidence Tree, we can actually expand the folders. So if you looked around the folders, there are 2 folders of interest, UnRename and $Extend which I will explain later on.
So, within UnRename, there is a file called flag.txt. However, the flag is the file name of the original file.
This brings us to the $Extend folder which contains a file called $J. The $J file in Windows is part of the NTFS (New Technology File System) file system, which is used by Windows operating systems for organizing and storing files on a disk. Specifically, the $J file is associated with the USN (Update Sequence Number) Journal, also known as the Change Journal.
The USN Journal is a feature in NTFS that provides a persistent log of changes made to files on the volume. Whenever a file, directory, or other file system object is created, deleted, or modified, an entry is added to the USN Journal.
To open or in Forensics terms parse this file MFTECmd by Eric Zimmerman is used here. Eric Zimmerman is a well-known figure in the digital forensics community, and he has developed a suite of tools that are widely used by forensic investigators. His tools are designed to analyze various types of digital evidence, streamline the investigative process, and extract valuable information from different data sources.
Once downloaded, this command will parse through the $J file and output the results to a csv file within a folder called "ICTF".
At this point, to open the csv file, it is better to use Timeline Explorer. A tool which is also made by Eric Zimmerman as it is more centered towards opening csv files which are generated by Forensics tools.
So now we have records of when every file is updated. Now the methodology is as follows:
We know the file is a
.txtfileWe know that a text file must be created first and then renamed
These actions must be done in sequence, meaning the timeline must show these 2 steps being done
With that said, we can click on Update Timestamp twice to sort the data in descending order in terms of timestamps to bring the most recent changes to the top.
Then, we can right-click on Extension and add the rule shown above.
Using the methodology defined just now, we can see a new text document being created, renamed and renamed again. The file name of the first instance of the text file being renamed is the flag.
Last updated
