Challenge Description
This file is Forensic file format which is generally used.
Check the information of imaged DISK, find the GUIDs of every partition.Answer: strupr((part1_GUID) XOR (part2_GUID) XOR …)
Download : B704361ACF90390C17F6103DF4811E2D
The file seems to be a Expert Witness File (EWF) which is a container file for forensic images. The file header shows the string EVF.
The file seems to be 1 MB of a full forensic image, because of all the missing information this file can not be processed by the standard forensic tools such as Encase and FTK. Also parsing the file with libewf did not seem to work.
The EWF file seems to contain multiple pieces of zlib compressed data, all these streams start with 48 0D.
Decompressing the headers in the EVF file did not result in anything useful:
Header 1:
php -r 'echo gzuncompress("\x48\x0D\x33\xE4\xE5\xCA\x4D\xCC\xCC\xE3\xE5\x4A\xE6\xCC\xE3\x4C\xE4\x4C\xE5\x2C\xE1\x4C\x2C\xE3\xCC\x2F\xE3\xCC\xE5\x2C\xE5\x2C\xE0\xE5\x32\x34\x32\x30\x32\x34\x8F\x77\x75\xF6\xCF\x73\x01\x12\x9C\x84\xF8\x05\x45\xF9\x79\xA9\xA9\x45\x9C\x9C\x66\x7A\x86\x16\x7A\x86\x9C\xE1\x99\x79\x29\xF9\xE5\xC5\x0A\xE6\x9C\x46\x06\x86\x46\x0A\x46\x0A\x86\xE6\x0A\x06\x0A\xA6\xA6\x0A\x96\x98\x02\x06\xBC\x5C\xBC\x5C\x00\x0A\x08\x21\x06");'
1
main
c n a e t av ov m u p
120217_ECOnDECO 120217_ECOnDECO 120217_ECOnDECO proneer 6.18.1 Windows 7 2012 2 17 0 55 9 2012 2 17 0 55 9 0
Header 2:
php -r 'echo gzuncompress("\x48\x0D\xAD\x92\xC1\x4E\xC3\x30\x10\x44\xE7\xEA\x7C\x05\x3F\x00\x72\x28\xA2\xE4\x58\xB5\x88\x13\xE5\x10\x21\x24\x2E\x28\x24\x11\x44\x6A\x42\x21\x2D\xF0\xF5\xC0\xDB\x4D\x91\x90\x80\x53\x2A\x6B\xC7\x6B\x67\x3D\x3B\x1E\xE7\xF3\x63\xA2\x44\xAD\x0A\x35\xEA\xC8\x0A\x05\x95\x44\x47\xD4\xC4\x86\x68\x55\x81\xBD\xEF\xAD\xC8\x0A\xBD\x82\x4F\x8E\x2D\xD9\x96\x58\x7B\x34\x5E\x59\x39\x43\xAD\x77\x4E\x27\x4A\x75\xAC\x48\xA4\x9A\xEA\x4E\xE7\x9A\xEB\x0A\xA6\xC5\x2E\x0B\xA3\xBF\xAF\xF5\x82\x96\x0E\xB5\x35\x59\x60\xE4\x9A\xE9\x12\xBC\xD6\x52\x17\x3A\xD0\x09\x9D\x23\x73\xEE\x15\x0D\xD8\xFB\x2A\x47\x85\x55\x47\xAF\x5E\xA2\x68\xA6\x5B\xAF\x8D\xCA\x98\xB3\x5F\x5C\x41\xA7\x3A\x42\xF1\x99\x63\xD0\x8D\xBB\x56\xD1\xFF\xCD\x39\xA7\x9C\x48\x35\xE1\xB6\x19\x5D\x23\x1C\xD6\xD9\x78\xFE\xDE\x35\xB5\x81\x8A\x84\xD1\xA3\xBE\x44\x5B\xC2\xDA\xEA\x13\xF7\xD4\xDE\x61\x70\xB5\x76\xBF\x37\xBA\x67\x67\x45\x47\xF3\xDC\xB0\xD0\x23\xD8\x3B\x3E\xF8\x5B\x14\x7A\xDE\xB1\x18\xF3\xD0\xC3\xF0\x10\xD6\x6F\x8C\x74\x19\x33\x4C\xF5\x7E\xC7\x78\xC6\xC0\x6D\xCD\xC7\x2D\x1E\xFD\xE7\x62\xE7\x0E\x95\xEE\x9C\xB9\x35\xD4\xFD\xF4\x29\xE5\xDF\x18\xAF\xC5\x94\x7C\x01\xAA\xBF\x60\x84");'
3
main
a c n e t md sn l av ov m u p pid dc ext
120217_ECOnDECO 120217_ECOnDECO 120217_ECOnDECO proneer SAMSUNG 470 Series SSD S0MSNEAZ700979 SAMSUNG 6.18.1 Windows 7 1329407709 1329407709 0
srce
0 1
p n id ev tb lo po ah sh gu aq
0 0
-1 -1 00000000000000000000000000000000 0000000000000000000000000000000000000000 00000000000000000000000000000000
sub
0 1
p n id nu co gu
0 0
1 00000000000000000000000000000000
However decompressing the next part (the sectors part) of the EVF file did result in something useful, it seems to contain the beginning of a hard drive:
php -r '$f = fopen("zlibx", "r"); $c = fread($f, filesize("zlibx")); fclose($f); echo gzuncompress($c);' >> decompressed_disk_header
This beginning of the hard drive contains the partition table, after decrompressing the zlib compressed partition table we can analyze this table. The fully by hand analyzed partition table:
00000200h: 45 46 49 20 50 41 52 54 ; EFI PART - 0 8 bytes Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h)
00 00 01 00 ; .... - 8 4 bytes Revision (For GPT version 1.0 (through at least UEFI version 2.3.1), the value is 00h 00h 01h 00h)
5C 00 00 00 ; \... - 12 4 bytes Header size in little endian (in bytes, usually 5Ch 00h 00h 00h meaning 92 bytes)
00000210h: 16 88 44 50 ; .ˆDP - 16 4 bytes CRC32 of header (0 to header size), with this field zeroed during calculation
00 00 00 00 ; .... - 20 4 bytes Reserved; must be zero
01 00 00 00 00 00 00 00 ; ........ - 24 8 bytes Current LBA (location of this header copy)
00000220h: AF C2 E7 0E 00 00 00 00 ; ¯Âç..... - 32 8 bytes Backup LBA (location of the other header copy)
22 00 00 00 00 00 00 00 ; "....... - 40 8 bytes First usable LBA for partitions (primary partition table last LBA + 1, usually 34)
00000230h: 8E C2 E7 0E 00 00 00 00 ; ŽÂç..... - 48 8 bytes Last usable LBA (secondary partition table first LBA - 1, usually Disk-Size - 34)
E2 83 B4 33 56 08 73 4E ; ⃴3V.sN - 56 16 bytes Disk GUID (also referred as UUID on UNIXes)
00000240h: A8 C9 96 BC 37 64 81 69 ; ¨É–¼7d.i
02 00 00 00 00 00 00 00 ; ........ - 72 8 bytes Partition entries starting LBA (always 2 in primary copy)
00000250h: 80 00 00 00 ; €... - 80 4 bytes Number of partition entries
80 00 00 00 ; €... - 84 4 bytes Size of a partition entry (usually 128)
FC B9 1A E4 ; ü¹.ä - 88 4 bytes CRC32 of partition array
00 00 00 00 ; .... - 92 * Reserved; must be zeroes for the rest of the block (420 bytes for a 512-byte LBA)
00000260h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000270h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000280h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000290h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000002a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000002b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000002c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000002d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000002e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000002f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000300h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000310h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000320h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000330h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000340h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000350h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000360h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000370h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000380h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000390h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000003a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000003b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000003c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000003d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000003e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000003f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000400h: 28 73 2A C1 1F F8 D2 11 BA 4B 00 A0 C9 3E C9 3B ; (s*Á.øÒ.ºK. É>É; - 0 16 bytes Partition type GUID
00000410h: 2B 80 26 60 4D AD 05 47 B9 B1 BF 81 BD D2 CA C7 ; +€&`M.G¹±¿.½ÒÊÇ. - 16 16 bytes Unique partition GUID
00000420h: 28 00 00 00 00 00 00 00 ; (....... - 32 8 bytes First LBA (little-endian)
27 40 06 00 00 00 00 00 ; '@...... - 40 8 bytes Last LBA (inclusive, usually odd)
00000430h: 00 00 00 00 00 00 00 00 ; ........ - 48 8 bytes Attribute flags (e.g. bit 60 denotes read-only)
45 00 46 00 49 00 20 00 ; E.F.I. . - 56 72 bytes Partition name (36 UTF-16LE code units)
00000440h: 53 00 79 00 73 00 74 00 65 00 6D 00 20 00 50 00 ; S.y.s.t.e.m. .P.
00000450h: 61 00 72 00 74 00 69 00 74 00 69 00 6F 00 6E 00 ; a.r.t.i.t.i.o.n.
00000460h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000470h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000480h: 00 53 46 48 00 00 AA 11 AA 11 00 30 65 43 EC AC ; .SFH..ª.ª..0eCì¬ - 0 16 bytes Partition type GUID
00000490h: 99 96 F8 36 77 E0 E0 46 A7 FC D7 20 6E CE 9F 1C ; ™–ø6wààF§ü×.nΟ. - 16 16 bytes Unique partition GUID
000004a0h: 28 40 06 00 00 00 00 00 ; (@...... - 32 8 bytes First LBA (little-endian)
E7 F7 1E 08 00 00 00 00 ; ç÷...... - 40 8 bytes Last LBA (inclusive, usually odd)
000004b0h: 00 00 00 00 00 00 00 00 ; ........ - 48 8 bytes Attribute flags (e.g. bit 60 denotes read-only)
53 00 79 00 73 00 74 00 ; S.y.s.t. - 56 72 bytes Partition name (36 UTF-16LE code units)
000004c0h: 65 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 ; e.m.............
000004d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000004e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000004f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000500h: 74 6F 6F 42 00 00 AA 11 AA 11 00 30 65 43 EC AC ; tooB..ª.ª..0eCì¬ - 0 16 bytes Partition type GUID
00000510h: 69 BC D7 3B DC D8 E5 48 9C 44 FF 2A 0F 26 F1 CD ; i¼×;ÜØåHœDÿ*.&ñÍ - 16 16 bytes Unique partition GUID
00000520h: E8 F7 22 08 00 00 00 00 ; è÷"..... - 32 8 bytes First LBA (little-endian)
0F 57 36 08 00 00 00 00 ; .W6..... - 40 8 bytes Last LBA (inclusive, usually odd)
00000530h: 00 00 00 00 00 00 00 00 ; ........ - 48 8 bytes Attribute flags (e.g. bit 60 denotes read-only)
52 00 65 00 63 00 6F 00 ; R.e.c.o. - 56 72 bytes Partition name (36 UTF-16LE code units)
00000540h: 76 00 65 00 72 00 79 00 20 00 48 00 44 00 00 00 ; v.e.r.y. .H.D...
00000550h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000560h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000570h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000580h: 00 53 46 48 00 00 AA 11 AA 11 00 30 65 43 EC AC ; .SFH..ª.ª..0eCì¬ - 0 16 bytes Partition type GUID
00000590h: A7 CD 84 F3 94 F6 3A 4E AC E7 BF 40 EE 99 E5 51 ; §Í„ó”ö:N¬ç¿@î™åQ - 16 16 bytes Unique partition GUID
000005a0h: 10 57 36 08 00 00 00 00 ; .W6..... - 32 8 bytes First LBA (little-endian)
87 C2 E3 0E 00 00 00 00 ; ‡Âã..... - 40 8 bytes Last LBA (inclusive, usually odd)
000005b0h: 00 00 00 00 00 00 00 00 ; ........ - 48 8 bytes Attribute flags (e.g. bit 60 denotes read-only)
53 00 65 00 63 00 75 00 ; S.e.c.u. - 56 72 bytes Partition name (36 UTF-16LE code units)
000005c0h: 72 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 ; r.e.............
000005d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
The recovered GUIDs from this partition table are:
2B8026604DAD0547B9B1BF81BDD2CAC7 9996F83677E0E046A7FCD7206ECE9F1C 69BCD73BDCD8E5489C44FF2A0F26F1CD A7CD84F394F63A4EACE7BF40EE99E551
Code to generate final answer:
php -r '$a="\x2B\x80\x26\x60\x4D\xAD\x05\x47\xB9\xB1\xBF\x81\xBD\xD2\xCA\xC7"; $b="\x99\x96\xF8\x36\x77\xE0\xE0\x46\xA7\xFC\xD7\x20\x6E\xCE\x9F\x1C"; $c="\x69\xBC\xD7\x3B\xDC\xD8\xE5\x48\x9C\x44\xFF\x2A\x0F\x26\xF1\xCD"; $d="\xA7\xCD\x84\xF3\x94\xF6\x3A\x4E\xAC\xE7\xBF\x40\xEE\x99\xE5\x51"; echo $a^$b^$c^$d;'|xxd | tr '[:lower:]' '[:upper:]' 0000000: 7C67 8D9E 7263 3A07 2EEE 28CB 32A3 4147 |G..RC:...(.2.AG
Answer: 7C678D9E72633A072EEE28CB32A34147