BTLO- Forensics Challenge(Employee of the year)

5 min readMar 20, 2022

This is a writeup of forensics challenge Employee of the year from Blue Team Labs Online.This was my first forensics challenge i explored new forensics tools and techniques.

We will learn how to analyze disk image files using foremost.We will analyze pdf files with pdf-parser to discover artifacts.We will use strings utility to discover original file names before deletion of files,also getting lay of the land of the disk in Question.

Downloading the Challenge

We are given a zip file which contains our challenge files

we download and unzip it

we are given disk image file. we will use a forensics tool called foremost which is available by default on kali linux.This was my first time i heard of this tool so i opened up its man page read its documentation.This tool will try to recover the files present on the disk image when it was created. we get a output directory containing recovered objects

Question 1 : What is the text written on the recovered gif image?

we move to gif directory and open the gif for the answer

Answer : GoodJobDefender

Now our next 3 questions are to recover three flags

After some poking around,i ran strings command on original diskimage and we have some filenames which hints us to which flag is which

we can recover Flag1.png by going to recovered png file and opening it

Flag 1 :

Answer : FLAG1:WELOVEBTLO

Now onto Flag2.Since we know its in docx file so we want to work on a word file.But we dont HAVE a word document in recovered files.

we had a zip directory and we unzip in hope for a docx document but we get xml files and some more things.I didnt know what to do with these.So i researched and found that word documents are just series of xml files,which i didnt know. I read this great blog explaining this relationship and how word documents are constructed underneath.

I tried reconstructing the xml files in a readible word document but remained unsuccessful in that.From the above article,we know that document.xml is the main document file so i opened it in editor and tried making sense of it until i spotted something looking like base64 encoded text

so i decoded it and voila,we got our second flag

FLAG 2 :

Answer : FLAG2:ASOLIDDEFENDER

We know our flag3 is in a pdf file so we move to the recovered pdf file and open it.We see this

So i researched on how pdf forensics work and i found a tool named pdf-parser and pdf-id which tells us meta info like,embedded files,objects etc

I used pdf-parser to slice the pdf into raw-objects and found in Author metadata our flag,which has some characters hex encoded

so i open up a ascii conversion table and convert

%3A is decoded as “:”

%40 is decoded as “@”

%24 is decoded as “$”

so we extracted our flag3 too

FLAG 3 :

Answer : FLAG3:@BLU3T3AM$0LDI3R

Question5 :What is the filesystem of the provided disk image?

I struggled at this point for sometime because i couldnt find how to determine filesystem from a disk image file . I used many forensics disk tools to determine the filesystem type but all of them returned same output

“Could not determine filesystem type”

I was almost fed up but fortunately i found the answer in a ubuntu-forum

In short ,only way to determine the filesystem type was to mount it on our filesystem .This was way too much work since i had to create a seperate partition to avoid corrupting my own filesystem.Thankfully cfdisk utility mounts it in a virtual-space ,allowing us to navigate the disk.