26
Feb
2012

CODEGATE 2012 – Forensics 500

Challenge Description

This file is Forensic file format which is generally used.
Check the information of imaged DISK, find the GUIDs of every partition.

Answer: strupr((part1_GUID) XOR (part2_GUID) XOR …)

Download : B704361ACF90390C17F6103DF4811E2D

The file seems to be a Expert Witness File (EWF) which is a container file for forensic images. The file header shows the string EVF.

The file seems to be 1 MB of a full forensic image, because of all the missing information this file can not be processed by the standard forensic tools such as Encase and FTK. Also parsing the file with libewf did not seem to work.
The EWF file seems to contain multiple pieces of zlib compressed data, all these streams start with 48 0D.

{Read More}