Entretien à l’ANSSI
After extracting the zip archive of the challenge, we get a single file. Let's use the file command to identify the file type/format:
$ file image_forensic.e01
image_forensic.e01: EWF/Expert Witness/EnCase image file format
I have no idea what this file format is, but after a quick Google search I came across this blog post which explains how to mount this type of file (it's some kind of disk image format).
First, install the ewf-tools package (ewftools on Fedora):
sudo apt install ewf-tools
Let's create a directory to act as the mount point of the image:
mkdir rawimage
Then, let's mount it (you need to be root for that):
ewfmount image_forensic.e01 ./rawimage/
Let's see what we have now:
$ ls -Alh rawimage
total 0
-r--r--r--. 1 root root 9.0M Jan 30 22:31 ewf1
$ file rawimage/ewf1
rawimage/ewf1: POSIX tar archive (GNU)
Apparently, we just have a tar archive. Let's unpack it:
$ tar -xf rawimage/ewf1
$ ls -Alh
total 9.6M
-rwxr-x---. 1 yep yep 9.0M Jun 28 2016 bcache24.bmc
-rw-r--r--. 1 yep yep 238K Jul 2 2016 image_forensic.e01
drwxr-xr-x. 1 yep yep 0 Jan 30 22:25 rawimage
$ file bcache24.bmc
bcache24.bmc: data
There was just 1 file in the archive, and the file command doesn't really know what it is...
Throwing the filename to Google, we come across a Github repo owned by ANSSI-FR (given the name of the challenge, we are most likely on the right track!).
There is also a pretty good blog post that explains what this kind of file is. Basically it's used for RDP (remote desktop) sessions to cache images (in the bitmap .bmp format) for performance reasons. This kind of artifact can be really useful for forensics investigations because it may give some insight into what an attacker did if they were able to compromise a host in an internal network (and launch RDP sessions from that host).
Let's use the tool from ANSSI to extract the images from the file:
$ git clone https://github.com/ANSSI-FR/bmc-tools
$ mkdir ./bmc-out/
$ ./bmc-tools/bmc-tools.py -s bcache24.bmc -d ./bmc-out/
[+++] Processing a single file: 'bcache24.bmc'.
[===] 575 tiles successfully extracted in the end.
[===] Successfully exported 575 files.
If we check into the bmc-out folder, there are a bunch of .bmp files (575 in fact):
$ ls -Alh bmc-out
total 33M
-rw-r--r--. 1 yep yep 5.7K Feb 3 12:42 bcache24.bmc_0000.bmp
-rw-r--r--. 1 yep yep 3.3K Feb 3 12:42 bcache24.bmc_0001.bmp
-rw-r--r--. 1 yep yep 9.2K Feb 3 12:42 bcache24.bmc_0002.bmp
-rw-r--r--. 1 yep yep 4.7K Feb 3 12:42 bcache24.bmc_0003.bmp
-rw-r--r--. 1 yep yep 4.7K Feb 3 12:42 bcache24.bmc_0004.bmp
-rw-r--r--. 1 yep yep 4.7K Feb 3 12:42 bcache24.bmc_0005.bmp
-rw-r--r--. 1 yep yep 17K Feb 3 12:42 bcache24.bmc_0006.bmp
-rw-r--r--. 1 yep yep 17K Feb 3 12:42 bcache24.bmc_0007.bmp
-rw-r--r--. 1 yep yep 3.9K Feb 3 12:42 bcache24.bmc_0008.bmp
[...]
Now we all agree that looking at all of these files individually isn't the best idea, so we need a way to merge them together or something.
You may have noticed the -b option of bmc-tool which does exactly what we want, but it takes forever (literally, I let it run for 2 hours and it was still going).
Another way to do that is using the montage command from ImageMagick:
$ montage bmc-out/*.bmp -geometry 64x64+0+0 merged.png
montage: negative or zero image size `bmc-out/bcache24.bmc_0094.bmp' @ error/bmp.c/ReadBMPImage/870.
montage: negative or zero image size `bmc-out/bcache24.bmc_0167.bmp' @ error/bmp.c/ReadBMPImage/870.
montage: negative or zero image size `bmc-out/bcache24.bmc_0185.bmp' @ error/bmp.c/ReadBMPImage/870.
montage: negative or zero image size `bmc-out/bcache24.bmc_0186.bmp' @ error/bmp.c/ReadBMPImage/870.
montage: negative or zero image size `bmc-out/bcache24.bmc_0392.bmp' @ error/bmp.c/ReadBMPImage/870.
montage: negative or zero image size `bmc-out/bcache24.bmc_0428.bmp' @ error/bmp.c/ReadBMPImage/870.
You can ignore these errors.
Now we should have a merged.png image containing a grid of all .bmp images:
If the flag is still scrambled, try playing with the -geometry option of the montage command.