![BelkaCTF#6 - [9] Crypto(Warmup, 286)](/_next/image?url=https%3A%2F%2Fwww.notion.so%2Fimage%2Fhttps%253A%252F%252Fbelkasoft.com%252Fbelkactf6%252Fassets%252Fimg%252Fpanels%252F8_2e25932a84fa614a3812e9065e4309fa.png%3Ftable%3Dblock%26id%3D877c9cf5-1af4-4d0c-8711-685b825f28d4%26cache%3Dv2&w=3840&q=75)
d2n0s4ur
Now it was my turn to smirk, and the Chief noticed it, although I tried to conceal the grin. Apparently, I didn't have enough cigar smoke. The Chief waved his hand angrily.
—What are you grinning at? As if you didn't get extra work.
—Yeah, Chief. Sorry, couldn't help it.
Thanks to the Chief's idea, we found that restaurant, but... the camera footage miraculously disappeared!
—Any ideas on what to do next?
—Chief, my gut tells me that guy's computer isn't squeaky clean. I'll look again for some encrypted storage. The file might be drifting in an undercurrent, hidden from plain sight.
Q. Which file does the guy keep his encrypted container in?
Format: full path, e.g. C:\VeraCrypt\MyContainer.vc
Solve
Used Tool
- Autopsy
- gkape
- FullEventLogView
Recent documents say that phorger using vault as encrypted container.
(By checking BitLocker &
Y:\\ )So, I need to find a vhdx file or realted files.
using gkape, I extracted windows event log.
By using FullEventLogView, I can filter vault related logs.
The location of encrypted container is “C:\Users\phorger\Documents\desktop.ini:vault.vhdx”, also you can see the vault at Autopsy.
Answer: C:\Users\phorger\Documents\desktop.ini:vault.vhdx