NorthSec 2017 – Forensic Track 3 – Solver

See posts with solvers for Forensic Track 1 and Track 2.

Grab source files from here. Password is %185lMM@w0e!1ar6Rs\|?rqMX4(Lh!0y


Scenario: Stream

By using exploits from an NSSA leak, foreign hackers were able to take control of Crisco networking equipment at the presidential palace and capture network traffic from the network palace in two different occasions.

News rumors would indicate that Rao spends a lot of the time watching television. You are part of the foreign hacker group and need to learn as much as you can about Rao’s television patterns in order to undermine his election campaign.

Flag is the lowercase of the SHA-256 of the answer.


Q1. What is the name of the streaming service used?

Provide the answer in lowercase.


  • Open pcap and inspect TCP flows with large overall sizes
  • Inspect name resolution for these IP addresses and identify service name: netflix

Flag: 13ed070478ef62c3a7baa36c8d042a9d1cdc0fcbb2af93a795f2ad20ad6e9cb5


Q2. What is the IP address of the server from which the video stream is downloaded?

The media streaming consists of two parallel streams, a video stream and an audio stream.


  • From TCP flows, identify IP addresses used for audio/video traffic
  • We expect the video traffic to be larger than the audio traffic – extract IP of larger flows:

Flag: b59d23af2b34f31faf9fd3954e18084f78400b0fd4383663dae5740f5b8f9539


Q3. The client downloaded the video stream using multiple concurrent connections. What are all of these connections?

Provide answer in the form of a list of TCP connection source ports, in ascending order, for example: 1001,1002,1003


  • Identify 4 parallel TCP connections to the IP, initiated from ports: 53002, 53005, 53011 and 53024

Flag: 2c02ff6626e0260fc855d25326a6674b973b04d2b525a6e169945640e70e5746


Q4. What is the size of the first application-data-unit (ADU) from the video stream download connections that is larger than 200,000 bytes?

Provide the answer in decimal format, with no thousands separator.


  • Google “application data unit” and Netflix and find CODASPY 2017 paper describing technique for deanonymizing Netflix videos
  • Understand concept of ADU and be outraged to find out that adudump tool used by researchers is not publicly available
  • Read adudump paper and implement your own ADU dump tool
  • Extract the size of the first large ADU: 337162

Flag: 9d7d42c96d7a365d83ee3848f3c080b080789b6a55379bf1f03ae3cc6ffb0ef9


Q5. What is the name of the episode being streamed?

Provide the answer in the format:
[Series Name]/Season [Season Number] : Episode [Episode Number]

For example, in Rao was watching the season 2 premiere, the response format would be: Mythbusters/Season 2 : Episode 1

PS: A modern encrypted connection, when compared to an encrypted connection from March-May 2016 from a specific database, has roughly 350 additional bytes of overhead.


  • Understand that you need to substract 350 from the ADU sizes you measure to be able to use the database and detector from the CODASPY 2017 paper
  • Also understand the that CODASPY 2017 paper makes no mention of multiple parallel connections to streaming servers and at this point be happy that you implemented your own ADU dump tool that you can adjust to handle this
  • Extract ADU sizes from pcap file
  • Run against detector and obtain series Broadchurch/Season 2 : Episode 3

Flag: 75788a50f886316d2e687cf179875314558e98b410f7998573910e1ea688ff1f


Q6. What is the name of the movie being streamed?


  • Run previously developed ADU Dump tool on pcap and extract ADU sizes
  • Attempt to run sizes against detector and identify that no match is found
  • Inspect database from CODASPY and conclude that it contains the full list of ADU sizes for each series / movie, in multiple resolutions
  • Identify that the size of the ADUs from the nsec pcap corresponds to 4k Ultra HD and that CODASPY database does not contain sizes for this resolution
  • Implement your own Pearson correlation algorithm and run it only against the highest resolution streams from the database
  • Identify movie: Ip Man

Flag: 108af717d4962a99fd56d93180d649ee4e7f0ff8c2c212a0d910f6b7bc6e4259

NorthSec 2017 – Forensic Track 2 – Solver

See posts with solvers for Forensic Track 1 and Track 3.

Grab source files from here. Password is %185lMM@w0e!1ar6Rs\|?rqMX4(Lh!0y


Scenario: Genetic

Our Dear Leader possesses physical and mental capacities that are super-natural and that are not held by any other person. To help humanity benefit from these traits, Rao generously provided blood and brain samples which were collected and mixed with random samples from normal individuals before being provided to a team of geneticist for a blinded analysis.

Mass spectrometry analysis of the blood serum and cerebral fluid revealed abnormally high levels of SuperX, a protein which activates the FOXO1 and NFKB transcription factors. Individuals with even trace levels of the SuperX protein are highly rare, have high resistance to diseases and possess increased muscle strengths and intellectual abilities. The levels detected in the samples from our Dear Leader have never been recorded before, to the amazement of the entire scientific community.

A small opposition group that questions the validity of these results asked you to analyze the photos released by our Dear Leader’s election campaign.

Flag is the lowercase of the SHA-256 of the answer.


Q1. What cryovial in the picture Q1-cryovial.jpg was tampered with?

Provide the answer in the form F2-Q1-x-y, where x and y are the coordinates of the cryovials in the tray on the horizontal and vertical axis, respectively, with the top left tube having coordinates x=1 and y=1.

For example, if the picture was tampered around the tube with label “AT 044”, the correct answer format would be: F2-Q1-2-6


Flag: d4e81eb6b11d76177711236af53c355780d7c9f3a127bc081e6d48fb98a090fd

Original Photo (left) vs. ELA result (right)


Q2. What piece of equipment in the picture Q2-equipment.jpg was tampered with?

Provide the answer in the form F2-Q2-x-y, where x and y are the rounded coordinates in pixels from the picture of the center of mass of the area that was tampered with. The rounding will be performed to the closest 50 pixels.

For example, if the area of the picture that was tampered with was the label of the squeeze-bottle, more specifically, the rectangular white area to the right of the black “X” sign on the orange background, to determine the correct answer, you would:

  • Find the approximate center of mass of this area (1116, 1056), for example drawing lines from the corners of the rectangle (see Q2-answer-format-help.jpg)
  • Round to the closest 50 pixels and obtain coordinates (1110, 1050)
  • Submit answer F2-Q2-1110-1050


  • Perform Image Clone Detection – can also be done with Forensically
  • Because photo is large, Clone Detection can take a bit of time – optionally, cut image in smaller chunks
  • Analyze highlighted areas, remove false-positives and identify that the markings on the pipette gun were modified in the photo
  • Submit answer F2-Q2-1600-250

Flag: d4e81eb6b11d76177711236af53c355780d7c9f3a127bc081e6d48fb98a090fd

Forensically Clone Detection (Min Similarity 0.20, Min Detail 0.73, Min Cluster Size 10, Block Size 4, Max Image size 1600) on image of roughly 1600 x 1100 pixels.


Q3. What area in the picture Q3-area.jpg was tampered with?

Provide the answer in the form F2-Q3-x-y, where x and y are the rounded coordinates in pixels from the picture of the center of mass of the area that was tampered with. The rounding will be performed to the closest 25 pixels.


  • Perform Noise Analysis – Forensically to the rescue again
  • Identify several low-noise hotspots, some of which are due to overexposure
  • Analyze low-noise areas on falcon tubes labes
  • The labels on the three front-most falcon tubes have low noise – this occurs on all areas of the label and is simply due to good light exposure on those areas
  • The label on the right-most large falcon tube, the only tube in the middle row, has low noise but only on the bottom half – the areas with the same brightness at the top of the label do not show the same low noise
  • Submit answer F2-Q3-1675-1050

Flag: bdc17e438e079c5457823f2e6a64baecc30d5c6a8f3c58c68e58c00a9d6b47f2

Forensically Noise Detection, opacity 0% (left), opacity 50% (middle), opacity 100% (right)


Q4. How many cryovials were in the picture Q4-redacted.jpg?

Provide the answer in the form F2-Q4-c, where c is the number of cryovials.


  • Extract embedded JPEG thumbnail image
  • Count visible cryovials
  • Submit answer F2-Q4-42

Flag: bbe872041ba6726059b622cb52f54abf32a2c6f812129bd5c4e3660107389fc3


Q5. The propaganda audio file Q5-propaganda.wav was tampered with to remove a portion of the speech. At what location did the tampering occur?

Provide the answer in the form F2-Q4-t, where t is the time from the start of the audio file, in the format m:ss.fff, rounded to the closest 100 millisecond.

For example, if the tampering occurred at minute 1, second 2, millisecond 345, the correct answer format is F2-Q4-1:02.300


  • Open file in audio editor
  • Inspect audio file properties and identify that it is Wave Uncompressed 32-bit. Contrary to a 16-bit MP3, this will allow for recovery of sound details in areas that might not be perceptible by the human ear
  • Inspect silent 1.7 seconds portion at the beginning of the file and identify that audio spectrogram shows traces of low-volume sound
  • Normalize volume for this silent portion and identify that this is noise from a crowded area
  • Conclude that is portions of the speech were cut in the pauses between the phrases, this would show in the background noise
  • Analyze the background noise between each pause in the speech, by normalizing the volume, listening to noise and inspecting spectrogram
  • Identify that pause between speech from 0:15.7 and 0:16.2 shows a cut at 0:16.0. The sound of a baby crying as well as other background sounds all stop at the same time
  • Submit answer in correct format F2-Q5-0:16.000

Flag: b4907d70f93528dc62bcbafefedb374e5f879b27cf62a690790589a89bf649d8

NorthSec 2017 – Forensic Track 1 – Solver

As is customary, here is the solver of the Forensic Track 1 from this year’s competition. Solvers for Forensic Track 2 and Track 3 are also available.

If you don’t have a copy of the source files anymore, you can grab them from here. Password is %185lMM@w0e!1ar6Rs\|?rqMX4(Lh!0y


Scenario: Formats

The elections for the Intricate Kingdom of Rao are underway. In an effort to prevent any sort of election voter fraud, our Dear Leader assigned a special team of digital forensic investigators to analyze some of the computers of election officials in order to bring to light any acts of wrongdoing.

Flag is the lowercase of the SHA-256 of the answer.


Q0. What is the official start date and time of our Dear Leader’s campaign?

Provide the answer in the format YYYY-MM-DD hh:mm:ss, in local time.

PS: The official start date and time of Rao’s campaign is Fri, May 19, 5:30pm ET.

Hint: There is only one local time: Rao’s Intricate Kingdom local time. At the competition, you are in Rao’s Intricate Kingdom.


  • From description and hints, understand that local time is competition local time
  • Time provided is already in local time, convert to required format: 2017-05-19 17:30:00

Flag: 69fe5e9d73aae5117430c5bd580131fe9ec65a52b8672fbcf80edac85c5727ce


File memory.bin contains a memory capture of an election official’s computer.
Q1. A file with the name “secret.pdf” was present on a drive connected to the election official’s computer. What is the full path of the file?

The answer is the case-sensitive path, the way it would be displayed to the user.

Hint: If you are using a memory parsing tool and the information obtained from this tool does not produce the correct flag, you might need to dump the tool and do the analysis manually.


  • If you try to use volatility, it finds the MFT FILE record from the “secret.pdf” file that resided on the external drive and when attempting to reconstruct the path, volatility attaches this file incorrectly to a parent folder C:\Program Files\Windows Apps\Microsoft.Messaging_3.26.24002.0_x64_8wekyb3d8bbwe_AppxMetadata. This is not the correct answer.
  • Open the memory file in a hex editor and find a unicode reference of “secret.pdf” in path \Device\HarddiskVolume3\parties\NDP\secret.pdf at location 0x43AEE360
  • Search for “party” and find a unicode reference to path E:\Parties at location 0x43B88B4C
  • Conclude that the correct path is E:\parties\NDP\secret.pdf

Flag: c5a54615b2948592ad448f3de996c463392c89dd9ee345c9ac56be1ffe28df47


Q2. What is the last modified date of the “secret.pdf” file?
Provide the answer in the format YYYY-MM-DD hh:mm:ss, in local time.


  • Search for “secret.pdf” and find MFT FILE record at offset 0x25D5F000
  • Parse MFT FILE record (ex: manually, volatility, Nuix) and extract the last modified date  2017-01-16 16:15:04 UTC
  • Convert to local time and required format 2017-01-16 11:15:04

Flag: 78ac2640bbbe7cd4e9caad75ea33156c3aeaed12f5ef2a4ffd5b0229018179cc


Q3. There was a very larger drive (>3TB) connected to the election official’s computer. What is the size of the drive?
The answer is the number of bytes of the drive.


  • Run volatility mbrparser plugin and conclude that no previously unknown MBRs can be found
  • Because the drive we are looking for is a large drive, it will likely have GPT partition setup
  • Search for “EFI PART” and find GPT header at location 0x8476D0
  • Extract the size of the backup LBA from offset 0x20 of the partition table. This is the last sector of the drive: FF FF FF BF 03 00 00
  • Convert decimal and add 1 to compute the total number of sectors: 16106127360
  • Multiply by standard sector size of 512 and attempt to submit size of 8 TB in bytes. You receive the hint: “You can’t make assumptions, especially in this order of magnitude”
  • Conclude that the drive being so large, it might not have a standard sector size.
  • Search for a cached VBR in memory. Find ReFS VBR at offset 0x2F2F05000
  • Find sector size of 4096 bytes and compute corrected size (60 TB): 65970697666560

Bonus: command used to created the large drive in a virtual environment: New-Vhd -Path F1-Q3.vhdx -SizeBytes 60TB -Dynamic -LogicalSectorSize 4096

Flag: ea8c90de4395b369c4c2f792f87889f35c183564532bc361be8099b87b0e495a


Q4. What is the content of the file “FCP.pdf” from the encrypted image fve.E01 taken from a drive that was connected to the election official’s computer?
The flag is the lowercase of the sha256 of the file.

Hint: FVE is Bitlocker XTS-AES 256


  • XTS-AES is an encryption scheme introduced in Windows 10 (build 1511) with very limited support from third-party tools. This is especially true for the 256-bit flavor.
  • Use your favorite tool to extract Bitlocker keys from memory and decrypt recovery key: 694309-640948-576257-564520-687489-165308-349162-133595
  • Convert fve.E01 to virtual disk (for example, E01 -> dd with FTK Imager, dd -> vmdk manually) and mount in an updated Windows 10 VM
  • Provide Windows with Recovery key and access file

Alternative solution:

  • Search for references in memory to files with name indicating “Bitlocker” and find file F:\Top Secret\Bitlocker key.pdf
  • Conclude that the Bitlocker recovery key file was saved  on the encrypted drive itself
  • Extract Bitlocker volume identifier from fve.E01 (ex: by mounting drive to Windows): 3033C852-7580-4B52-A6DA-F85DB97F15AE
  • Search for volume identifier string in memory and find half of it at offset 0x1337206E5, in snippet:
ll="#ff000000" FontUri="../Resou
3E-FAE9703B4676.odttf" FontRende
ringEmSize="15.9697" StyleSimula
tions="None" OriginX="126.72" Or
iginY="235.2" Indices="22;19;22,
6,57;41;20;24;36;22" UnicodeStri

  • Conclude that this is OXP(s) format and that traces of the document with the recovery key are still present in memory
  • Search for UnicodeString= and find recovery key at location 0x7553F2FF
  • Mount volume with the recovery key and extract requested document

Flag: 8dbdcb00012a34fad6a3470a3485b8ae58c930356c9dfefcc8094935c1e3364b


Q5. An investigator created a partial image of the disk of another election official’s drive by running the command:
dd bs=1M count=4500 if=\\?\Device\Harddisk0\Partition0 of=partial.dd
When analyzing the result, you realize that the image is incomplete. What is the minimum count size that the investigator could have used to capture all of the allocated data from the drive?


  • Open partial.dd image and extract MBR, $Boot and $Bitmap
  • From MBR, identify that the last partition starts at sector offset 1026048
  • From $Boot (VBR), identify that cluster size is 8 sectors and sector size is 512 bytes
  • From $Bitmap, find the last non-blank byte 7E at file offset 0xA0566 – the backup VBR stored at the end of the volume can be ignored
  • Convert last non-blank byte in $Bitmap to last allocated cluster 5253943, which corresponds to partition sector 42031544
  • Convert partition sector 42031544 to absolute sector 43057592 to byte offset 22045487104 to rounded up MB value 21025

Flag: dd9501b8c5e94fe6430fa63e97a66eb730b7d23a65a5d2981b046467a2637d0b


Q6. When was file “Monarchists flyer.pdf” from image flyers.E01 deleted?
Provide the answer in the format YYYY-MM-DD hh:mm:ss, in local time.


  • Convert .E01 to virtual disk and mount in Windows. Volume inside E01 is ReFS created with Windows 10 Creators Update. Anything before that will not recognize the file system
  • Find deleted file in Recycle Bin
  • Extract deletion date from INFO file creation date, 2017-05-05 00:28:05

Flag: 125225819a2505f0b971a92c2c6b392b2c767e932180cfc3350592ce0bf22480


Q7. When was file “Monarchists flyer.docx” from image flyers.E01 deleted?
Provide the answer in the format YYYY-MM-DD hh:mm:ss, in local time.


  • Mount image into Windows
  • Confirm that file is not in Recycle Bin and conclude that is was permanently deleted
  • List the USN Journal with command fsutil usn readjournal D:\
  • Find journal deletion entry, which shows time in local timezone:
Usn               : 5304
File name         : Monarchists flyer.docx
File name length  : 44
Reason            : 0x80000200: File delete | Close
Time stamp        : 5/5/2017 0:28:46
File attributes   : 0x00000020: Archive
File ID           : 00000000000007020000000000000001
Parent file ID    : 00000000000007020000000000000000
Source info       : 0x00000000: *NONE*
Security ID       : 0
Major version     : 3
Minor version     : 0
Record length     : 120

Flag: e1894c73654c9cc12d7609600acb65f0039fb545fdf695dee7cdba0a620db978


Q8. When was file “Meritocrats flyer.pdf” from image last modified?
Provide the answer in the format YYYY-MM-DD hh:mm:ss, in local time.


  • File is not in Recycle Bin and cannot be found in USN Journal
  • Confirm that the USN Journal did not get overwritten and conclude that file did not exist on current partition
  • Carve remnant MFT FILE record from previous NTFS partition that existed on the drive and extract modification date 2016-09-06 00:11:02

Flag: 877efa5560ff38aacc43610e14f5c9edfc315ae8ee06c1592411bec044d797d4


Q9. File “corrupted.L01” contains a high-resolution image of our leader. This file suffered some corruption that inexplicably overwrote internal hash values and checksums. What is the name of the investigator that produced this file?


  • From file extension and header, identify that this is an EWF-L01 file
  • Attempt to open file in typical forensics software (FTK, Encase, ewfmount, Nuix) and conclude that file is so broken that it cannot be opened with any off-the-shelf software
  • Find EWF documentation –
  • Read documentation and understand concept of sections
  • Identify that property Examiner name can be found in header2 section at section offset 0x4c, zlib compressed
  • Extract header2 section, decompress and obtain Examiner name “This is not the name you’re looking for”
  • Identify that in the L01 file, immediately after the header2 section, there is a backup header2 section
  • Extract backup header2 section, decompress and obtain Examiner name “Democracy adjudicator 6”

Flag: 152128e70df4cd87d68b172238982554d3578df62d144f40e4cb346dd6128f71


Q10. What is the content of file “” contained inside “corrupted.L01”?
The flag is the lowercase of the sha256 of the file.


  • Manually parse the L01 structure and identify that it contains two files: filler.jpg and
  • Manually extract and decompress sectors from file
  • Identify that file overflows to second segment, corrupted.L02
  • Extract all sectors from file Image has a grid pattern overlaid – in case you make an error when reconstructing the jpeg file, this patter will make it easier to spot the location where the error occurred

Flag: a5bf36bdd9a6e8dfc7d56782f20d14d0cdf0b808cc2c6defbbcecfef32f6f616

Official hours

Official hours


  • Participants registration from 17h00 to 19h00
  • Talks et presentation from 19h00 to 19h30
  • Competition start at 19h30


  • Competition end at 15h ;
  • Closing ceremony at 16h ;
  • Departure of participants at 17h.

Breaking news

A rumor is going around that someone might have installed an access point with the SSID “Onion-PSK” … This same rumor states that the password might be a word taken from a french dictionnary, but that this word might also have a number added to it… This is all the info we have for now!