Codegate 2011 Qual - Forensics 400

The challenge description was very helpful. First, we knew that we were looking for an encrypted file. Second, we knew that the data was only metadata, not actual file data. The hexdump of the file told us that the metadata was the metadata of an NTFS filesystem, due to the MFT record and FILE0 entries:

$hexdump -C 663A6A5939D2491D2F471A76123FC89C | head 
00000000  46 49 4c 45 30 00 03 00  e8 db 10 13 00 00 00 00  |FILE0...........|
00000010  01 00 01 00 38 00 01 00  a0 01 00 00 00 04 00 00  |....8...........|
00000020  00 00 00 00 00 00 00 00  06 00 00 00 00 00 00 00  |................|
00000030  e4 00 00 00 00 00 00 00  10 00 00 00 60 00 00 00  |............`...|

We then looked for a tool that would let us interpret NTFS metadata and found http://www.diskinternals.com/ as the top result. After trying the first utility DiskInternals Uneraser, we noticed that the fourth utility on the page is for encrypted files!

We were able to browse the metadata as though it were a local file system and found the following:

Fortunately, heEya.dat was the only file found by EFS to be encrypted and its size was consistent with hidden data.

From there it was a simple matter of doing a md5 of the file path:

$ md5sum -s 'C:\Documents and Settings\proneer\My Documents\Outlook Files\heEYA.dat' 
MD5 ("C:\Documents and Settings\proneer\My Documents\Outlook Files\heEYA.dat") = 576e7a07fbdd660e171988b3e8e5bb21
 
$echo '576e7a07fbdd660e171988b3e8e5bb21' | tr '[a-z]' '[A-Z]'
576E7A07FBDD660E171988B3E8E5BB21

Key: 576E7A07FBDD660E171988B3E8E5BB21