# UnRename **Challenge Name: UnRename** **Category: Forensics** **Difficulty: Hard** **Description: flag.txt has been renamed. Submit the original name of flag.txt as flag ICTF24{original\_filename.extension}**

The challenge provided an `.ad1` file to us. The "a" and "d" means Access Data. A quick look up of Access Data reveals that they have a product called FTK Imager which is used to image hard drives and read image data, which is what the file given to us is. So let's open it up there!

So once you loaded FTK Imager, click on the icon shown to `Add Evidence Item`.

Click on `Image File`.

Now locate the file provided to us and select it as our data source.

Looking at the `Evidence Tree`, we can actually expand the folders. So if you looked around the folders, there are 2 folders of interest, `UnRename` and `$Extend` which I will explain later on.

So, within `UnRename`, there is a file called `flag.txt`. However, the flag is the file name of the original file.

This brings us to the `$Extend` folder which contains a file called `$J`. The `$J` file in Windows is part of the NTFS (New Technology File System) file system, which is used by Windows operating systems for organizing and storing files on a disk. Specifically, the `$J` file is associated with the USN (Update Sequence Number) Journal, also known as the Change Journal. The USN Journal is a feature in NTFS that provides a persistent log of changes made to files on the volume. Whenever a file, directory, or other file system object is created, deleted, or modified, an entry is added to the USN Journal.

To open or in Forensics terms parse this file `MFTECmd` by Eric Zimmerman is used here. Eric Zimmerman is a well-known figure in the digital forensics community, and he has developed a suite of tools that are widely used by forensic investigators. His tools are designed to analyze various types of digital evidence, streamline the investigative process, and extract valuable information from different data sources. ``` .\MFTECmd.exe -f 'C:\location of ad file\$Extend\$J' --csv ICTF ``` Once downloaded, this command will parse through the `$J` file and output the results to a csv file within a folder called "ICTF".

At this point, to open the csv file, it is better to use Timeline Explorer. A tool which is also made by Eric Zimmerman as it is more centered towards opening csv files which are generated by Forensics tools.

So now we have records of when every file is updated. Now the methodology is as follows: * We know the file is a `.txt` file * We know that a text file must be created first and then renamed * These actions must be done in sequence, meaning the timeline must show these 2 steps being done With that said, we can click on `Update Timestamp` twice to sort the data in descending order in terms of timestamps to bring the most recent changes to the top.

Then, we can right-click on Extension and add the rule shown above.

Using the methodology defined just now, we can see a new text document being created, renamed and renamed again. The file name of the first instance of the text file being renamed is the flag. ``` ICTF24{50989db4ffd41017fe2d7277f5bd5039.txt} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zach-wong.gitbook.io/easy-reads/ictf-2024-writeups/unrename.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.