Rating:

# VolgaCTF Quals 2015: Russian doll

----------
## Challenge details
| Contest | Challenge | Category | Points |
|:---------------|:--------------|:----------|-------:|
| VolgaCTF Quals 2015 | Russian doll | Forensics | 300 |

**Description:**
>*Russian doll*

>*We got a strange file, can you find a flag in it image*

----------
## Write-up

We are given a 500MB file called "russian_doll.iso" about which file has to say the following:

>```bash
> file russian_doll.iso
>
> russian_doll.iso; x86 boot sector, code offset 0x58, OEM-ID "-FVE-FS-", sectors/cluster 8, reserved sectors 0, Media descriptor 0xf8, heads 255, hidden sectors 46626816, FAT (32 bit), sectors/FAT 8160, reserved3 0x800000, serial number 0x0, unlabeled
>```

The "-FVE-FS-" OEM-ID indicates we are probably dealing with a [bitlocker encrypted volume](http://www.forensicswiki.org/wiki/BitLocker_Disk_Encryption). So we fire up [Diskinternals EFS recovery](http://www.diskinternals.com/efs-recovery/) and mount russian_doll.iso as a raw disk image. In the Diskinternals EFS recovery interface we can now see the volume name which contains the pass (WIN-VQ2T0GLLBKC pss : d@7raLzVolg@CTF):

![alt recovery1](recovery1.png)

Next we perform recovery on disk (choosing Fast EFS recovery), enter the password (d@7raLzVolg@CTF) and after being notified no deleted files have been recovered we are presented with an overview of the folders and files in the volume:

![alt recovery2](recovery2.png)

The volume contains only a single file called "flag.gif" which we can preview (but not save in our trial version):

![alt recovery3](recovery3.png)

Taking a look at the file with the built-in hex viewer we can see the flag all the way down at the end of the file:

![alt recovery4](recovery4.png)

Giving us the flag:

>*{fkw2pef460hlcm2vefvblowmfldqaw34volgactf}*

Original writeup (https://github.com/smokeleeteveryday/CTF_WRITEUPS/tree/master/2015/VOLGACTF/forensics/russiandoll).