Tags: forensics ntfs windows
Rating:
**Description**
> Agent Smith got this from Mr. Reagan, a EMP was activated nearby, or?
**Files provided**
- `mrreagan.tar.gz` - containing `mrreagan`, a disk image
**Solution**
After mounting the image, we see that it is an NTFS filesystem. We can see the `$RECYCLE.BIN` folder, the `System Volume Information` folder, but also an `EFSTMPWP`. If we search for `EFSTMPWP`, we [find](http://www.majorgeeks.com/content/page/what_is_the_efstmpwp_folder_and_can_you_delete_it.html) it is an artefact of using Cipher on Windows to erase data from empty space on a filesystem, thereby making it irrecoverable (unlike just unlinking a file). So this would be the EMP that the challenge description mentions. But the description also has a question mark!
We can open the image in [Autopsy](http://sleuthkit.org/autopsy/index.php), always useful for Windows forensics. And indeed, there are some orphan files:
All of these show some ASCII data that looks quite like Base64. One of them in particular produces `sctf{` after decoding, so clearly this is the right direction. But some of the others produce garbage? Let's extract the five files.
$ cat export/*
c2N0ZnszbD
NjdHIwbTRn
bjN0MWNfcH
VsNTNfdzRz
X2Y0azN9Cg
$ cat export/* | base64 -D
sctf{3l3ctr0m4gn3t1c_pul53_w4s_f4k3}
And now it works. The problem was that the Base64 data first needed to be concatenated, then decoded, otherwise the decoded bits were offset.
`sctf{3l3ctr0m4gn3t1c_pul53_w4s_f4k3}`
