Title: Jiangsu Province Second Data Security Technology Application Vocational Skills Competition Preliminary Competition WP

1. Data security problem solving competition

1. ds_0602

Solution to the problem, let us obtain the original data in the encrypted file, decrypt it, submit the data in the sixth row and the second column, download the attachment, and find that there are two files in it, one of which ends with ".enc". Here we need to briefly understand what type of file ending with ".enc".

Simply put, files ending with ".enc" are usually encrypted files. Specifically, the file extension ".enc" does not represent a specific file type, but a general identifier, indicating that the file content has been encrypted. The question requires us is obvious. Then, right-click to open the method here and select "Notepad" to open the analysis. Get it;

After a brief analysis, it is obvious that it has been "base64 encryption", so here is the question that allows decoding, so on the contrary, we just need to find an online "base64" decoding. Then again, why can I confirm that it is "base64 encoding" here? base feature; encoding length: every 3 bytes of binary data (24 bits) will be encoded into 4 ASCII characters (6 bits per character). The encoded length is usually 1.33 times the length of the original data, that is, 4/3 of the original data length. Character Set: Base64 Encoding Character Set consisting of the following 64 characters: uppercase letters: A-Z lowercase letters: a-z number: 0-9 Two symbols: + and/In some implementations, symbols may be replaced, such as: + replace with -,/replace with _ (usually used for URL-safe Base64 encoding). Fill characters: If the number of bytes of the input data is not a multiple of 3, the encoded result will be filled with the=symbol to make its length multiple of 4. One equal sign indicates the input length divided by 3 or more 1, and two equal signs indicate the remaining 2. Simply put, Base64 encoding is an encoding method used to convert binary data into ASCII characters. Online base64 decoding, get;

The "sixth row and second column data" mentioned in the title, then we can directly copy the decoding of the sixth row here;

At this point; flag{767378199223105126}

2, 333.file

Download the attachment to solve the problem and decompress to obtain an audio ending with ".wav". It will be thrown into "deepsound", "silenteye", and "Audacity". It will be fruitless. At this time, you should use "010" to open and analyze it to see if there is any key information, such as "flag" or "zip" keywords. Then we can also throw it into "kali" and use "binwalk" to analyze it to see if there are any files that can be separated; "DeepSound" is fruitless;

"silenteye" has no effect;

"Audacity" has no results;

Then there is nothing I can do for the time being. I can only throw it into "kali" and simply use "binwalk" to analyze it. I found that there is indeed a broken "zip" in it, but using "binwalk -e" is not enough to extract it. Here we try to use "foremost -i" (the principle is similar to binwalk -e, but it has changed the extraction method. Interested masters can learn about the difference between the two. I won't emphasize it more here) to get hidden files in the audio. Use the command; binwalk -e 333.wav --run-as=root gets

Extracting successfully with "foremost -i" was found. When we opened it, we did not find that it was the "zip" we analyzed using "binwalk", but another audio ending with '.wav'. However, through simple analysis, it was found that this audio was not the previous audio. The easiest analysis method is that they are different in size. So here, we still use the basic common ".wav" analysis tools as above, and finally found key information in "Audacity"! Use the command; foremost -i 333.wav -o /root/Desktop/123 -T get

Open the separated file to get two audios, just analyze them briefly;

Finally, the "spectrogram" of "Audacity" in the second audio "00006606.wav" was discovered with key information!

Get the key information, pass: stego0626; then it is also obvious here, it must be a certain password. After all, it is "pass", so it goes without saying that there is nothing to analyze here, because basically all the things you can find are tried, but none of them work. But here I suddenly thought that when I used "binwalk" to analyze, there was indeed a broken "zip" inside, which was not separated successfully, and then I used "foremost -i" to separate it. Then we might as well use "010" to simply locate it and see if this "zip" is incomplete, because sometimes the broken use of "foremost" or "binwalk" cannot be separated directly, and it must be separated manually; use "010" to analyze and find "zip" (zip's hexadecimal ——504B0304)

A brief look at it, I found that the key information "flag" is indeed the flag we are thinking about, but it seems that this zip lacks the main head, which is the beginning of "504B0304" we just looked for. It doesn't matter if we don't know it. We can use a normal "zip" beginning as a comparison; a normal "zip" hexadecimal representation;

It is not difficult to see that the normal "zip" does indeed contain "504B0304" at the beginning, but we did not find it exist here. So let's try to save it directly to see if it is difficult to open it normally; directly "create a new hex file" in "010", and then select the whole paragraph just paste;

Select the main content of 'zip' and right-click to copy;

Of course, since the head here is missing "zip", we can directly enter "504B0304" at the same time as we create it, in case we need to insert it later (of course, you can also insert the content later, see the habits of all the masters)

Just paste and select "zip" for saving format. Pay attention to the save location to prevent you from finding it;

Finally, you need a password to open "zip". Then we enter the password extracted earlier "pass: stego0626" to open it;

We can select the right-click "Notepad" to open the blank file for analysis;

It was found that it was not the flag we needed, but it didn't matter. We can select "010" to open it and analyze it and get it;

I found that the header of this "flag" blank file starts with "78 9c 4b cb". Generally speaking, files starting with hexadecimal 78 9c 4b cb are usually files compressed using the zlib compression algorithm. So we can directly add a "zlib" suffix, then use "binwalk -e" to separate, and finally find flag, use the command; binwalk -e flag.zlib --run-as=root successfully separated

Open the separated file for analysis, and finally successfully get the flag;

At this point; flag{81633464866e622d275c309b22cb907b} Here separation is not the only way, we can use "CyberChef" to decode "zlib" and can also decode flags;

3. PF file analysis

There are a lot of questions to solve problems. But we can find the key points. Simply put, let us find the most used software name from them and submit it. So here we should first briefly understand what a "pf" file is;

PF file (Prefetch File) is a cache file in the Windows operating system, used to speed up the startup of applications. Whenever you run an application in Windows, the system creates or updates the PF file associated with the application. This file records the resources required for the program to start, including loaded DLLs, file paths and other information. Main features: Storage location: PF files are usually stored in the C:\Windows\Prefetch directory, and the file name format is program name-hash value.pf. Speed up startup: PF files record the resources required for program startup, which can help the operating system load these resources more quickly the next time the program is started, thereby speeding up startup. Forensic Analysis: In digital forensics, PF files can be used to analyze user behavior, see when and how a program is started, and help rebuild the event timeline. Cleaning Impact: Cleaning PF files may cause the application to start up slowly for the first time, but it has little impact on the overall performance of the system. Summary: PF files are a cache file used by Windows systems to optimize program startup performance. They are stored in a specific directory and are created or updated when the program starts. In the field of digital forensics, these documents also help analyze user behavior. Since we have already learned about the "pf" file, we directly downloaded the attachment and opened it and found that we needed a password. Alas, it was very strange at the beginning. I thought there was no password in the title and the organizer did not give a password. So was the password forgotten by the organizer? After careful observation, we found that the downloaded attachment, which is the so-called "zip" name. Since it is a "base64" encoding, we directly decoded it, and it was also successful that the password required for it;

Online base64 decoding and decoding;

zip password: IAMPASSWORD was finally decompressed successfully. Then we have said that. If we want to analyze "Prefetch", what tools should we use to analyze? Here is a summary for the masters; PECmd: Usage: PECmd is a command line tool used to parse and analyze Windows Prefetch files. It can extract detailed information in the Prefetch file, such as the execution time, path, associated DLL, etc. which is very suitable for digital forensic analysis. Features: Support batch processing, generate CSV reports, and can parse multiple Windows versions of Prefetch formats. WinPrefetchView: Use: WinPrefetchView is a simple GUI tool for viewing and analyzing Prefetch files. It can quickly list files in the Prefetch directory and display detailed information of each file, such as the number of program startup times, last run time, etc. Features: Friendly interface, simple operation, suitable for quickly viewing Prefetch file content. These two tools are the most commonly used when analyzing Prefetch files and are suitable for different levels of needs, from simple viewing to in-depth forensic analysis. Then we will first use "PECmd" to analyze; use the command; PECmd.exe -d D:\Latest Download\PECmd\Prefetch --json output.txt to analyze the commands briefly; we use the PECmd tool to parse the Prefetch file located in the D:\Latest Download\PECmd\Prefetch directory, and save the output results to the output.txt file in JSON format. Get it;

Finally, in the current directory, we found the "output" file we created;

Just right-click and select "Notepad" to open the analysis;

Get it;

The question lets us find the most used software, so we only look for the most used software. Then, the English translation of "RunCount" here is definitely executed, so we only need "Ctrl+F" to locate "RunCount", and look at it slowly one by one, because it will be followed by a number, which is the number of times the software is executed; get;

However, I found that it was not the one with the most executions. Later, I found that there were more 38, 71, etc. and I also slowly searched and confirmed the maximum "82"! Get it;

At this point; flag{SEARCHFILTERHOST.EXE} expansion Then we used "PECmd" to analyze "Prefetch", and the master thought, hey, is this a bit troublesome? It's a parsing and opening the notepad to search. Isn't it a bit too troublesome? Why! There is indeed a more easy way than this. The tool "WinPrefetchView" we are going to talk about next has been extracted and downloaded. Then we will open the tool "WinPrefetchView" here. Then click "Options", select "Advanced Options", change your "Prefetch" position, and finally click confirm; get;

We can directly sort the number of runs in a simple order and know that this method is indeed much more convenient than the first one, and it is more intuitive and clear to see;

4. Lost information

There are many useful questions in the question Barabala. Let’s summarize it. Simply put, let’s take out the mobile phone number of the customer and submit it for a lowercase MD5 encryption. Then we download the attachment and get two files;

A brief analysis of what is the "disk" file and the ".raw" file; what is the "disk" file? A "Disk" file usually refers to a mirror file of a storage device, which is an accurate copy of the entire hard disk, partition, or other storage media. This file contains all data on the disk, including file systems, partition tables, boot records, and all files and folders stored on the disk. Purpose: Commonly used for backup, cloning disks or data recovery. They are also used in legal analysis, where disk images are used to analyze and reconstruct data stored on disk. Format: Disk files may exist in different formats, such as .img,iso,vmdk (virtual disk files), etc. What is a ".raw" file? A .raw file usually refers to a Raw Disk Image. This is an uncompressed mirror format that contains all the raw data on the disk, replicating the entire disk or partition byte byte. Features: Uncompressed: The .raw file does not contain any compressed or modified data and is the most original disk image format. Universality: Due to its simple and universal format,raw files can be recognized and used by a variety of tools and operating systems. Purpose: widely used in digital forensics, data recovery and virtualization environments. Analyzing .raw files can help recover deleted files, analyze file system structure, and perform other low-level data operations. Summary Disk file: Usually refers to a disk image file, which is a copy of the entire storage device.raw file: is an uncompressed disk image format that contains raw data on the disk, and is often used for forensic analysis and data recovery. Then again, we know what documents it is, so how do we analyze them? Of course, when analyzing disk image files ("disk" file or ".raw" file), the following are the commonly used tools recommended: Volatility 2.6: Purpose: Volatility is a memory forensic analysis tool. Although it is mainly used for memory dump analysis, it can also be used to analyze data in disk images. By cooperating with disk mirroring, Volatility can extract and analyze memory-related data, such as processes, network connections, registry entries, etc. Features: Powerful function, supports memory analysis of multiple operating systems, suitable for in-depth analysis and evidence forensics work. Elcomsoft Forensic Disk Decryptor: Purpose: Elcomsoft Forensic Disk Decryptor is specially used to decrypt encrypted disk image files. It supports BitLocker, TrueCrypt, VeraCrypt and other encryption systems, and can help forensics extract and analyze data from these mirror files. Features: Strong decryption capability, especially suitable for use when encountering encrypted disk images.

In general, Volatility 2.6: is used for memory forensic analysis, and can also be used for advanced data extraction in combination with disk images. Elcomsoft Forensic Disk Decryptor: Specially used