CodeGate 2012 Quals Forensic 500 Write-up

This file is Forensic file format which is generally used.
Check the information of imaged DISK, find the GUIDs of every partition.

Answer: strupr((part1_GUID) XOR (part2_GUID) XOR …)

Download : B704361ACF90390C17F6103DF4811E2D

Forensic 500 features EWF format container with EFI GPT partition table.

The container

D:\ctf\cg2012\for500>\TrID\trid.exe B704361ACF90390C17F6103DF4811E2D
TrID/32 - File Identifier v2.10 - (C) 2003-11 By M.Pontello
Definitions found:  4604
Collecting data from file: B704361ACF90390C17F6103DF4811E2D
100.0% (.E01) EnCase Forensic Drive Image (3006/2)

If it’s EnCase format, let’s open it with EnCase!

Aha, not so easy: EnCase spits out an error and doesn’t open it. We are in to parse it manually.

Download EWF format specification.

EWF file can be presented like this:

struct ewf_file {
    char ewf_magic[8] = "EVF\x09\x0D\x0A\xFF\x00";
    uint8_t start_of_fields = 0x01;
    uint16_t seg_number;  /* 0x0001 in the sample */
    uint16_t end_of_fields = 0x0001;
    struct ewf_section sections[];

EWF section description:

struct ewf_section {
    char section_name[16];  /* first is "header2" in sample */
    uint64_t next_section_offset;  /* 0x0175 */
    uint64_t section_size;  /* 0x0168 */
    char padding[40];
    uint32_t section_adler32;  /* 0xE211037B */
    char section_data[];

The sample has 5 sections:

  • header2, starting at file offset 0x0D, data size 0x011C
    Contains zlib compressed text data with container metadata. Decompressable with PHP function gzuncompress
  • header2 duplicate, starting at file offset 0x0175
  • header, file offset 0x02DD, data size 0x69
    Contains zlip-compressed text metadata, format is similar to header2
  • volume, file offset 0x0392, data size 0x041C
    Contains binary disk volume information, not interesting.
  • sectors, file offset 0x07FA, data size 0x0FF7BA
    Contains actual disk sectors, it’s our target. Sectors are grouped by 128 KB and compressed.

Let’s grab several first kilobytes from sectors section and uncompress them.
Download raw sectors.

GPT partition table lies at disk offset 0x200, so first 128 KB is enough for us.

The partition table

GPT headers specification on Wikipedia.

GPT header structure:

struct gpt {
    char gpt_magic[8] = "EFI PART";
    char revision[4] = "\x00\x00\x01\x00";
    uint32_t header_size = 0x5C;
    uint32_t header_crc32;  /* 0x50448816 in the sample */
    char padding[4];
    uint64_t current_lba = 0x01;
    uint64_t backup_lba;  /* 0x0EE7C2AF in sample */
    uint64_t first_data_lba;  /* 0x22 */
    uint64_t last_data_lba;  /* 0x0EE7C28E */
    GUID disk_guid;  /* {33B483E2-0856-4E73-A8C9-96BC37648169} */
    uint64_t part_lba = 0x02;
    uint32_t part_number;  /* 0x80 in sample (?!?) */
    uint32_t part_size = 0x80;
    uint32_t part_crc32;  /* 0xE41AB9FC */
    char padding[420];
    struct gpt_partition partitions[];

GPT partititon entry structure:

struct gpt_partition {
    GUID type_guid;
    GUID partition_guid;
    uint64_t first_lba;
    uint64_t last_lba;
    uint64_t flags;
    wchar_t partition_label[36];

Using these structures, 4 partition entries can be found:

  • GUID 2B8026604DAD0547B9B1BF81BDD2CAC7, label “EFI System Partition”
  • GUID 9996F83677E0E046A7FCD7206ECE9F1C, label “System”
  • GUID 69BCD73BDCD8E5489C44FF2A0F26F1CD, label “Recovery HD”
  • GUID A7CD84F394F63A4EACE7BF40EE99E551, label “Secure”

Xor GUID together to get the flag: 7C678D9E72633A072EEE28CB32A34147


For users of awesome 010 Editor, I’ve also written templates that automatically parse EWF and GPT into a nice tree:

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>