Tags: partial stegano forensics wtf 

Rating: 4.0

dotsu – July 24, 2018, 2:21 p.m.

There's a encrypted 7zip after the mkv in the dump file(the original 7z header is modified to 1z), just use the sentence to decrypt it

Pharisaeus – July 24, 2018, 4:51 p.m.

Thx @dotsu! We knew we must have missed something. We've seen in the dump some overwritten PY and 7Z files, but didn't think about it much.