Forensic 300
Description:
We are investigating the military secret’s leaking.we found traffic with leaking secrets while monitoring the network.Security team was sent to investigate, immediately. But, there was no one present. It was found by forensics team that all the leaked secrets were completely deleted by wiping tool.And the team has found a leaked trace using potable device.Before long, the suspect was detained. But he denies allegations.
Now, the investigation is focused on potable device.The given files are acquired registry files from system.The estimated time of the incident is Mon, 21 February 2011 15:24:28(KST).Find a trace of portable device used for the incident.
The Key : “Vendor name” + “volume name” + “serial number” (please write in capitals)
Down
We were given tar archive with MS Windows registry files:
./default.bak
./SAM.bak
./proneer.NTUSER.DAT.bak
./system.bak
./software.bak
./SECURITY.bak
After some search in Google I found this article which had link on tools “Windows USB Storage (USBSTOR) Parser”
$ ./usp -sys ../system.bak -user ../proneer.NTUSER.DAT.bak | grep -C 10 6:24:28
Instance ID/Serial #: ddf08fb7a86075&0
Driver: {4d36e967-e325-11ce-bfc1-08002be10318}\0004
Volume ID: 7fcea8e8-39e6-11e0-9e0f-000c290f784e
Disk ID: 7fcea8e6-39e6-11e0-9e0f-000c290f784e
Volume name: PR0N33R
Parent ID Prefix: <none found>
Vendor ID: 1b1c
Product ID: 0a31
Revision: 0.00
Vendor/product corsair/ufd
Acct that mounted vol: proneer acct, on 02/21/11 06:24:28.760 [UTC]
The answer is: CORSAIRPR0N33RDDF08FB7A86075
Issue 300
Find the answer.
We have PNG image with Qrcode.
After trying in all possible online,offline and mobile decoders, we decided that there are error in format information:
■ encoded data (including error correct code)
■ format information
I take first similar qrcode via http://www.tineye.com/ and transplanted format information from him to our qrcode, using gimp.
Result:
The answer is cue@1k0de
2 comments
Наша команда тоже участвовала в codegate и мы решили проще, мы просто уменьшили картинку раза в 2-2.5 и она благополучно скормилась онлайн распознавателю http://www.janones.com.br/portal/index/qrcode/. Но видимо зря мы так. Вчера вот на Plaid CTF ничего не смогли поделать с битыми QR’ками, старый фокус не прошел, а так бы уже знали в какую сторону копать.
Спасибо за Вам за блог. Будем читать ваши разборы, ждем заданий с Plaid’a =)
Watches that are too big or too small don’t do
anyone any good. A fine timepiece is something that can become
an heirloom piece that is passed down from generation to generation.
That is not to say that any of the designer watches won.