Root-me.org

Job interview

Hide-and-seek

We’re given a EWF/encase image and we need to find some kind of flag.

I’ve seen this before.We’ll install a package to be able to extract the content of it.

file image_forensic.e01 
image_forensic.e01: EWF/Expert Witness/EnCase image file format

sudo apt-get install ewf-tools

ewfexport image_forensic.e01 
ewfexport 20140608

Information for export required, please provide the necessary input
Export to format (raw, files, ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, encase7, encase7-v2, linen5, linen6, linen7, ewfx) [raw]: 
Target path and filename without extension or - for stdout: data
Evidence segment file size in bytes (0 is unlimited) (0 B <= value <= 7.9 EiB) [0 B]: 
Start export at offset (0 <= value <= 9431040) [0]: 
Number of bytes to export (0 <= value <= 9431040) [9431040]: 

Export started at: Mar 22, 2018 11:30:11
This could take a while.

Export completed at: Mar 22, 2018 11:30:11

Written: 8.9 MiB (9431040 bytes) in 0 second(s).
MD5 hash calculated over data:		ba74f9213ff89221eb9b68cd03ff0242
ewfexport: SUCCESS

We can choose to export the content in a raw format and choose a file here (data in my case)

Once that it’s done, we got a file. Let’s run file on it.

file data.raw
data.raw: POSIX tar archive (GNU)

An archive file, let’s decompress it.

 tar xvf data.raw
bcache24.bmc

We now have a .bmc file. More info -> https://fileinfo.com/extension/bmc

We’ll fetch a script that will allow us to extract everything from inside.

wget https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py

BMC-tools will allow us to extract all of the bitmap files.

mkdir bcache_extract

 python bmc-tools.py -s bcache24.bmc -d ./bcache_extract/
[+++] Processing a single file: 'bcache24.bmc'.
[===] Successfully exported 575 files.

575 files. That’s a lot of files to go through.

We can use eog (Image viewer) or GIMP to browse through image.

Somewhere inside we can see the flag.