Tags: forensics ntfs windows 

Rating: 0

**Description**

> Agent Smith got this from Mr. Reagan, a EMP was activated nearby, or?

**Files provided**

- `mrreagan.tar.gz` - containing `mrreagan`, a disk image

**Solution**

After mounting the image, we see that it is an NTFS filesystem. We can see the `$RECYCLE.BIN` folder, the `System Volume Information` folder, but also an `EFSTMPWP`. If we search for `EFSTMPWP`, we [find](http://www.majorgeeks.com/content/page/what_is_the_efstmpwp_folder_and_can_you_delete_it.html) it is an artefact of using Cipher on Windows to erase data from empty space on a filesystem, thereby making it irrecoverable (unlike just unlinking a file). So this would be the EMP that the challenge description mentions. But the description also has a question mark!

We can open the image in [Autopsy](http://sleuthkit.org/autopsy/index.php), always useful for Windows forensics. And indeed, there are some orphan files:

![](https://raw.githubusercontent.com/Aurel300/empirectf/master/writeups/2018-05-31-SecurityFest/screens/mrreagan1.png)

![](https://raw.githubusercontent.com/Aurel300/empirectf/master/writeups/2018-05-31-SecurityFest/screens/mrreagan2.png)

All of these show some ASCII data that looks quite like Base64. One of them in particular produces `sctf{` after decoding, so clearly this is the right direction. But some of the others produce garbage? Let's extract the five files.

$ cat export/*
c2N0ZnszbD
NjdHIwbTRn
bjN0MWNfcH
VsNTNfdzRz
X2Y0azN9Cg
$ cat export/* | base64 -D
sctf{3l3ctr0m4gn3t1c_pul53_w4s_f4k3}

And now it works. The problem was that the Base64 data first needed to be concatenated, then decoded, otherwise the decoded bits were offset.

`sctf{3l3ctr0m4gn3t1c_pul53_w4s_f4k3}`