Skip to content

Latest commit

 

History

History

exchanges

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
public
public
 
 
solution
solution
 
 
README.md
README.md
 
 

README.md

Exchanges

Category: forensics

Author: voldemort

Description

I can't seem to open the file. Did Jolene corrupted it?

Solution

Reveal Spoiler

Episode4 (NTFS was crippled as below => Jolene.txt is the flag file and it is an MFT resident file.) Hint 1: Resident is the game, MFT is the place Hint 2: Jolene looks nice in Unicode Flag: I’m gonna be a radical.

Original Modified

$MFT $BadClus $MFTMirr $MFT $Logfile $MFTMirr $Volume $Logfile $AttrDef $AttrDef Root dir $Volume $Bitmap $Bitmap $Boot $Boot $BadClus Root dir $Secure $Secure $Upcase $Upcase $Extend $Extend

Solution 1: Open image in Active@ Partition Recovery, Advance Search, SuperScan -> Poor result -> it will appear in the file system structure) Solution 2: Mount with FTK Imager as Physical & Logical, Block Device/Read Only, Open in Active@ Disk Editor the Volume, search for Jolene in UTF8 or fix the MFT records as above to get the filesystem to be displayed properly in Explorer and any other tool such as FTK Imager.

$MFT (record 1) 46494C453000030095161000000000000100010038000100A001000000040000000000000000000007000000000000000200000000000000100000006000000000001800000000004800000018000000C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D70106000000000000000000000000000000000000000001000000000000000000000000000000000000300000006800000000001800000003004A000000180001000500000000000500C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D701004000000000000000400000000000000600000000000000040324004D00460054000000000000008000000048000000010040000000060000000000000000003F0000000000000040000000000000000000040000000000000004000000000000000400000000002140AA2A00000000B00000005000000001004000000005000000000000000000010000000000000040000000000000000020000000000000081000000000000008100000000000002101A92A21017CD50000000000000000FFFFFFFF0000000000000400000000002140AA2A00000000B00000005000000001004000000005000000000000000000010000000000000040000000000000000020000000000000081000000000000008100000000000002101A92A21017CD50000000000000200FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200

$MFTMirr (record 2) 46494C4530000300DB1610000000000001000100380001005801000000040000000000000000000004000000010000000200000000000000100000006000000000001800000000004800000018000000C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D701060000000000000000000000000000000000000000010000000000000000000000000000000000003000000070000000000018000000020052000000180001000500000000000500C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D701001000000000000000100000000000000600000000000000080324004D00460054004D00690072007200000000000000800000004800000001004000000001000000000000000000000000000000000040000000000000000010000000000000001000000000000000100000000000001101020000000000FFFFFFFF00000000120000000102000000000005200000002002000000000000800000004800000001004000000001000000000000000000000000000000000040000000000000000010000000000000001000000000000000100000000000001101020000000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200

$Logfile (record 3) 46494C4530000300211710000000000002000100380001005801000000040000000000000000000004000000020000000200000000000000100000006000000000001800000000004800000018000000C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D701060000000000000000000000000000000000000000010000000000000000000000000000000000003000000070000000000018000000020052000000180001000500000000000500C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D701000020000000000000002000000000000600000000000000080324004C006F006700460069006C006500000000000000800000004800000001004000000001000000000000000000FF010000000000004000000000000000000020000000000000002000000000000000200000000000220002A828000000FFFFFFFF00000000120000000102000000000005200000002002000000000000800000004800000001004000000001000000000000000000FF010000000000004000000000000000000020000000000000002000000000000000200000000000220002A828000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200

$Volume (record 4) 46494C4530000300551A10000000000003000100380001007001000000040000000000000000000006000000030000000200000000000000100000006000000000001800000000004800000018000000C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D701060000000000000000000000000000000000000001010000000000000000000000000000000000003000000068000000000018000000010050000000180001000500000000000500C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D7010000000000000000000000000000000006000000000000000703240056006F006C0075006D00650060000000280000000000180000000400100000001800000045007000690073006F00640065003400700000002800000000001800000005000C0000001800000000000000000000000301800000000000800000001800000000001800000003000000000018000000FFFFFFFF000000000000180000000400100000001800000045007000690073006F00640065003400700000002800000000001800000005000C0000001800000000000000000000000102840000000000800000001800000000001800000003000000000018000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200

Root Directory (record 6) 46494C453000030067351000000000000500010038000300200300000004000000000000000000000A000000050000000600300000000000100000004800000000001800000000003000000018000000C39B98045E23D701CCB84E3B5E23D701CCB84E3B5E23D701C19C024E5F23D701060000000000000000000000000000003000000060000000000018000000010044000000180001000500000000000500C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D70100000000000000000000000000000000060000100000000001032E000000000050000000000100000000180000000200E40000001800000001000480CC000000D800000000000000140000000200B8000800000000001800FF011F0001020000000000052000000020020000000B1800000000100102000000000005200000002002000000001400FF011F00010100000000000512000000000B14000000001001010000000000051200000000001400BF01130001010000000000050B000000000B1400000001E001010000000000050B00000000001800A900120001020000000000052000000021020000000B1800000000A0010200000000000520000000210200000101000000000005120000000101000000000005120000000000000090000000580000000004180000000600380000002000000024004900330006003000000001000000001000000100000010000000280000002800000001000000000000000000000018000000030000000000000000000000A000000050000000010440000000080000000000000000000000000000000000480000000000000000100000000000000010000000000000001000000000000024004900330030001101240000000000B000000028000000000418000000070008000000200000002400490033003000010000000000000000010000680000000009180000000900380000003000000024005400580046005F0044004100540041000000000000000500000000000500010000000100000000000000000000000000000000000000000000000000000000000000000000000200000000000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000600

$BadClus (record 9) 46494C4530000300F31710000000000008000100380001007801000000040000000000000000000005000000080000000300000000000000100000006000000000001800000000004800000018000000C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D701060000000000000000000000000000000000000000010000000000000000000000000000000000003000000070000000000018000000030052000000180001000500000000000500C39B98045E23D701C39B98045E23D701C39B98045E23D701C39B98045E23D7010000000000000000000000000000000006000000000000000803240042006100640043006C0075007300000000000000800000001800000000001800000002000000000018000000800000005000000001044000000001000000000000000000FE7F000000000000480000000000000000F0FF070000000000F0FF07000000000000000000000000240042006100640002FF7F0000000000FFFFFFFF0000000000001800000002000000000018000000800000005000000001044000000001000000000000000000FE7F000000000000480000000000000000F0FF070000000000F0FF07000000000000000000000000240042006100640002FF7F0000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300